diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..42f8cb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,13 @@ +SOURCES/blank-cert8.db +SOURCES/blank-cert9.db +SOURCES/blank-key3.db +SOURCES/blank-key4.db +SOURCES/blank-secmod.db +SOURCES/cert8.db.xml +SOURCES/cert9.db.xml +SOURCES/key3.db.xml +SOURCES/key4.db.xml +SOURCES/nss-3.41.tar.gz +SOURCES/nss-config.xml +SOURCES/secmod.db.xml +SOURCES/setup-nsssysinit.xml diff --git a/.nss.metadata b/.nss.metadata new file mode 100644 index 0000000..359f253 --- /dev/null +++ b/.nss.metadata @@ -0,0 +1,13 @@ +d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db +b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db +7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db +f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db +bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db +6a43a6788fff0f2a967051209adbd354fad4c346 SOURCES/cert8.db.xml +ea6705e15999bdc6365f05b3d66f9c1d49677f84 SOURCES/cert9.db.xml +24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml +af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml +69c60e8d3190573dbcbc01f50e68e3ceb7d92522 SOURCES/nss-3.41.tar.gz +2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml +ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml +bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch new file mode 100644 index 0000000..dde5dcb --- /dev/null +++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch @@ -0,0 +1,79 @@ +diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c +--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100 ++++ nss/lib/pk11wrap/pk11pars.c 2018-03-09 17:24:39.815838810 +0100 +@@ -671,6 +671,10 @@ SECMOD_CreateModuleEx(const char *librar + + mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc); + mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc); ++ /* if the system FIPS mode is enabled, force FIPS to be on */ ++ if (SECMOD_GetSystemFIPSEnabled()) { ++ mod->isFIPS = PR_TRUE; ++ } + mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc); + slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc); + mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams, +diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c +--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100 ++++ nss/lib/pk11wrap/pk11util.c 2018-03-09 17:25:46.804347730 +0100 +@@ -95,6 +95,26 @@ SECMOD_Shutdown() + return SECSuccess; + } + ++int SECMOD_GetSystemFIPSEnabled(void) { ++#ifdef LINUX ++ FILE *f; ++ char d; ++ size_t size; ++ ++ f = fopen("/proc/sys/crypto/fips_enabled", "r"); ++ if (!f) ++ return 0; ++ ++ size = fread(&d, 1, 1, f); ++ fclose(f); ++ if (size != 1) ++ return 0; ++ if (d == '1') ++ return 1; ++#endif ++ return 0; ++} ++ + /* + * retrieve the internal module + */ +@@ -428,7 +448,7 @@ SECMOD_DeleteInternalModule(const char * + SECMODModuleList **mlpp; + SECStatus rv = SECFailure; + +- if (pendingModule) { ++ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) { + PORT_SetError(SEC_ERROR_MODULE_STUCK); + return rv; + } +@@ -963,7 +983,7 @@ SECMOD_CanDeleteInternalModule(void) + #ifdef NSS_FIPS_DISABLED + return PR_FALSE; + #else +- return (PRBool)(pendingModule == NULL); ++ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled()); + #endif + } + +diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h +--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100 ++++ nss/lib/pk11wrap/secmodi.h 2018-03-09 17:24:39.816838788 +0100 +@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd + CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, + SECItem **param, SECItem *pwd, PRBool faulty3DES); + ++/* Get the state of the system FIPS mode */ ++/* NSS uses this to force FIPS mode if the system bit is on. Applications which ++ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or ++ * from FIPS mode will automatically be told that they can't swith out of FIPS ++ * mode */ ++int SECMOD_GetSystemFIPSEnabled(); ++ + extern void pk11sdr_Init(void); + extern void pk11sdr_Shutdown(void); + diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch new file mode 100644 index 0000000..6e4adcd --- /dev/null +++ b/SOURCES/iquote.patch @@ -0,0 +1,13 @@ +diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk +--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200 ++++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200 +@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME + SQLITE_LIB_NAME = sqlite3 + endif + ++# Prefer in-tree headers over system headers ++ifdef IN_TREE_FREEBL_HEADERS_FIRST ++ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss ++endif ++ + MK_LOCATION = included diff --git a/SOURCES/nss-3.39-create-public-key-on-private-import.patch b/SOURCES/nss-3.39-create-public-key-on-private-import.patch new file mode 100644 index 0000000..c17a38a --- /dev/null +++ b/SOURCES/nss-3.39-create-public-key-on-private-import.patch @@ -0,0 +1,804 @@ +# HG changeset patch +# User Robert Relyea +# Date 1544226862 28800 +# Fri Dec 07 15:54:22 2018 -0800 +# Node ID 521a5b2f10cc197b9349df033f9d3cca0b5226c5 +# Parent 5ac4d4904afae59149bb1fab49c3b21244a51a22 +try: -b do -u all - p all -t all + +diff --git a/cmd/manifest.mn b/cmd/manifest.mn +--- a/cmd/manifest.mn ++++ b/cmd/manifest.mn +@@ -51,16 +51,17 @@ NSS_SRCDIRS = \ + ocspclnt \ + ocspresp \ + oidcalc \ + p7content \ + p7env \ + p7sign \ + p7verify \ + pk12util \ ++ pk11import \ + pk11ectest \ + pk11gcmtest \ + pk11mode \ + pk1sign \ + pp \ + pwdecrypt \ + rsaperf \ + rsapoptst \ +diff --git a/cmd/pk11import/Makefile b/cmd/pk11import/Makefile +new file mode 100644 +--- /dev/null ++++ b/cmd/pk11import/Makefile +@@ -0,0 +1,43 @@ ++#! gmake ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++####################################################################### ++# (1) Include initial platform-independent assignments (MANDATORY). # ++####################################################################### ++ ++include manifest.mn ++ ++####################################################################### ++# (2) Include "global" configuration information. (OPTIONAL) # ++####################################################################### ++ ++include $(CORE_DEPTH)/coreconf/config.mk ++ ++####################################################################### ++# (3) Include "component" configuration information. (OPTIONAL) # ++####################################################################### ++ ++####################################################################### ++# (4) Include "local" platform-dependent assignments (OPTIONAL). # ++####################################################################### ++ ++include ../platlibs.mk ++ ++####################################################################### ++# (5) Execute "global" rules. (OPTIONAL) # ++####################################################################### ++ ++include $(CORE_DEPTH)/coreconf/rules.mk ++ ++####################################################################### ++# (6) Execute "component" rules. (OPTIONAL) # ++####################################################################### ++ ++####################################################################### ++# (7) Execute "local" rules. (OPTIONAL). # ++####################################################################### ++ ++include ../platrules.mk +diff --git a/cmd/pk11import/manifest.mn b/cmd/pk11import/manifest.mn +new file mode 100644 +--- /dev/null ++++ b/cmd/pk11import/manifest.mn +@@ -0,0 +1,15 @@ ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++CORE_DEPTH = ../.. ++ ++MODULE = nss ++ ++CSRCS = pk11import.c \ ++ $(NULL) ++ ++REQUIRES = seccmd ++ ++PROGRAM = pk11import ++ +diff --git a/cmd/pk11import/pk11import.c b/cmd/pk11import/pk11import.c +new file mode 100644 +--- /dev/null ++++ b/cmd/pk11import/pk11import.c +@@ -0,0 +1,410 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#include "secutil.h" ++#include "secmod.h" ++#include "cert.h" ++#include "secoid.h" ++#include "nss.h" ++#include "pk11pub.h" ++#include "pk11pqg.h" ++ ++/* NSPR 2.0 header files */ ++#include "prinit.h" ++#include "prprf.h" ++#include "prsystem.h" ++#include "prmem.h" ++/* Portable layer header files */ ++#include "plstr.h" ++ ++SECOidData * ++getCurveFromString(char *curve_name) ++{ ++ SECOidTag tag = SEC_OID_SECG_EC_SECP256R1; ++ ++ if (PORT_Strcasecmp(curve_name, "NISTP256") == 0) { ++ } else if (PORT_Strcasecmp(curve_name, "NISTP384") == 0) { ++ tag = SEC_OID_SECG_EC_SECP384R1; ++ } else if (PORT_Strcasecmp(curve_name, "NISTP521") == 0) { ++ tag = SEC_OID_SECG_EC_SECP521R1; ++ } else if (PORT_Strcasecmp(curve_name, "Curve25519") == 0) { ++ tag = SEC_OID_CURVE25519; ++ } ++ return SECOID_FindOIDByTag(tag); ++} ++ ++void ++dumpItem(const char *label, const SECItem *item) ++{ ++ int i; ++ printf("%s = [%d bytes] {", label, item->len); ++ for (i = 0; i < item->len; i++) { ++ if ((i & 0xf) == 0) ++ printf("\n "); ++ else ++ printf(", "); ++ printf("%02x", item->data[i]); ++ } ++ printf("};\n"); ++} ++ ++SECStatus ++handleEncryptedPrivateImportTest(char *progName, PK11SlotInfo *slot, ++ char *testname, CK_MECHANISM_TYPE genMech, void *params, void *pwArgs) ++{ ++ SECStatus rv = SECSuccess; ++ SECItem privID = { 0 }; ++ SECItem pubID = { 0 }; ++ SECItem pubValue = { 0 }; ++ SECItem pbePwItem = { 0 }; ++ SECItem nickname = { 0 }; ++ SECItem token = { 0 }; ++ SECKEYPublicKey *pubKey = NULL; ++ SECKEYPrivateKey *privKey = NULL; ++ PK11GenericObject *objs = NULL; ++ PK11GenericObject *obj = NULL; ++ SECKEYEncryptedPrivateKeyInfo *epki = NULL; ++ PRBool keyFound = 0; ++ KeyType keyType; ++ ++ fprintf(stderr, "Testing %s PrivateKeyImport ***********************\n", ++ testname); ++ ++ /* generate a temp key */ ++ privKey = PK11_GenerateKeyPair(slot, genMech, params, &pubKey, ++ PR_FALSE, PR_TRUE, pwArgs); ++ if (privKey == NULL) { ++ SECU_PrintError(progName, "PK11_GenerateKeyPair Failed"); ++ goto cleanup; ++ } ++ ++ /* wrap the temp key */ ++ pbePwItem.data = (unsigned char *)"pw"; ++ pbePwItem.len = 2; ++ epki = PK11_ExportEncryptedPrivKeyInfo(slot, SEC_OID_AES_256_CBC, ++ &pbePwItem, privKey, 1, NULL); ++ if (epki == NULL) { ++ SECU_PrintError(progName, "PK11_ExportEncryptedPrivKeyInfo Failed"); ++ goto cleanup; ++ } ++ ++ /* Save the public value, which we will need on import */ ++ keyType = pubKey->keyType; ++ switch (keyType) { ++ case rsaKey: ++ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.rsa.modulus); ++ break; ++ case dhKey: ++ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.dh.publicValue); ++ break; ++ case dsaKey: ++ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.dsa.publicValue); ++ break; ++ case ecKey: ++ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.ec.publicValue); ++ break; ++ default: ++ fprintf(stderr, "Unknown keytype = %d\n", keyType); ++ goto cleanup; ++ } ++ dumpItem("pubValue", &pubValue); ++ ++ /* when Asymetric keys represent session keys, those session keys are ++ * destroyed when we destroy the Asymetric key representations */ ++ SECKEY_DestroyPublicKey(pubKey); ++ pubKey = NULL; ++ SECKEY_DestroyPrivateKey(privKey); ++ privKey = NULL; ++ ++ /* unwrap the temp key as a perm */ ++ nickname.data = (unsigned char *)"testKey"; ++ nickname.len = sizeof("testKey"); ++ rv = PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(slot, epki, &pbePwItem, ++ &nickname, &pubValue, PR_TRUE, PR_TRUE, keyType, 0, &privKey, NULL); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, "PK11_ImportEncryptedPrivateKeyInfo Failed"); ++ goto cleanup; ++ } ++ ++ /* verify the public key exists */ ++ rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_ID, &privID); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, ++ "Couldn't read CKA_ID from pub key, checking next key"); ++ goto cleanup; ++ } ++ dumpItem("privKey CKA_ID", &privID); ++ objs = PK11_FindGenericObjects(slot, CKO_PUBLIC_KEY); ++ for (obj = objs; obj; obj = PK11_GetNextGenericObject(obj)) { ++ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, CKA_ID, &pubID); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, ++ "Couldn't read CKA_ID from pub key, checking next key"); ++ continue; ++ } ++ dumpItem("pubKey CKA_ID", &pubID); ++ if (!SECITEM_ItemsAreEqual(&privID, &pubID)) { ++ fprintf(stderr, ++ "CKA_ID does not match priv key, checking next key\n"); ++ SECITEM_FreeItem(&pubID, PR_FALSE); ++ continue; ++ } ++ SECITEM_FreeItem(&pubID, PR_FALSE); ++ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, CKA_TOKEN, &token); ++ if (rv == SECSuccess) { ++ if (token.len == 1) { ++ keyFound = token.data[0]; ++ } ++ SECITEM_FreeItem(&token, PR_FALSE); ++ } ++ if (keyFound) { ++ printf("matching public key found\n"); ++ break; ++ } ++ printf("Matching key was not a token key, checking next key\n"); ++ } ++cleanup: ++ if (objs) { ++ PK11_DestroyGenericObjects(objs); ++ } ++ if (pubValue.data) { ++ SECITEM_FreeItem(&pubValue, PR_FALSE); ++ } ++ if (privID.data) { ++ SECITEM_FreeItem(&privID, PR_FALSE); ++ } ++ if (epki) { ++ PORT_FreeArena(epki->arena, PR_TRUE); ++ } ++ if (pubKey) { ++ SECKEY_DestroyPublicKey(pubKey); ++ } ++ if (privKey) { ++ SECKEY_DestroyPrivateKey(privKey); ++ } ++ fprintf(stderr, "%s PrivateKeyImport %s ***********************\n", ++ testname, keyFound ? "PASSED" : "FAILED"); ++ return keyFound ? SECSuccess : SECFailure; ++} ++ ++static const char *const usageInfo[] = { ++ "pk11import - test PK11_PrivateKeyImport()" ++ "Options:", ++ " -d certdir directory containing cert database", ++ " -k keysize size of the rsa, dh, and dsa key to test (default 1024)", ++ " -C ecc_curve ecc curve (default )", ++ " -f pwFile file to fetch the password from", ++ " -p pwString password", ++ " -r skip rsa test", ++ " -D skip dsa test", ++ " -h skip dh test", ++ " -e skip ec test", ++}; ++static int nUsageInfo = sizeof(usageInfo) / sizeof(char *); ++ ++static void ++Usage(char *progName, FILE *outFile) ++{ ++ int i; ++ fprintf(outFile, "Usage: %s [ commands ] options\n", progName); ++ for (i = 0; i < nUsageInfo; i++) ++ fprintf(outFile, "%s\n", usageInfo[i]); ++ exit(-1); ++} ++ ++enum { ++ opt_CertDir, ++ opt_KeySize, ++ opt_ECCurve, ++ opt_PWFile, ++ opt_PWString, ++ opt_NoRSA, ++ opt_NoDSA, ++ opt_NoDH, ++ opt_NoEC ++}; ++ ++static secuCommandFlag options[] = ++ { ++ { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE }, ++ { /* opt_KeySize */ 'k', PR_TRUE, 0, PR_FALSE }, ++ { /* opt_ECCurve */ 'C', PR_TRUE, 0, PR_FALSE }, ++ { /* opt_PWFile */ 'f', PR_TRUE, 0, PR_FALSE }, ++ { /* opt_PWString */ 'p', PR_TRUE, 0, PR_FALSE }, ++ { /* opt_NORSA */ 'r', PR_FALSE, 0, PR_FALSE }, ++ { /* opt_NoDSA */ 'D', PR_FALSE, 0, PR_FALSE }, ++ { /* opt_NoDH */ 'h', PR_FALSE, 0, PR_FALSE }, ++ { /* opt_NoEC */ 'e', PR_FALSE, 0, PR_FALSE }, ++ }; ++ ++int ++main(int argc, char **argv) ++{ ++ char *progName; ++ SECStatus rv; ++ secuCommand args; ++ PK11SlotInfo *slot = NULL; ++ PRBool failed = PR_FALSE; ++ secuPWData pwArgs = { PW_NONE, 0 }; ++ PRBool doRSA = PR_TRUE; ++ PRBool doDSA = PR_TRUE; ++ PRBool doDH = PR_FALSE; /* NSS currently can't export wrapped DH keys */ ++ PRBool doEC = PR_TRUE; ++ PQGParams *pqgParams = NULL; ++ int keySize; ++ ++ args.numCommands = 0; ++ args.numOptions = sizeof(options) / sizeof(secuCommandFlag); ++ args.commands = NULL; ++ args.options = options; ++ ++#ifdef XP_PC ++ progName = strrchr(argv[0], '\\'); ++#else ++ progName = strrchr(argv[0], '/'); ++#endif ++ progName = progName ? progName + 1 : argv[0]; ++ ++ rv = SECU_ParseCommandLine(argc, argv, progName, &args); ++ if (SECSuccess != rv) { ++ Usage(progName, stderr); ++ } ++ ++ /* Set the certdb directory (default is ~/.netscape) */ ++ rv = NSS_InitReadWrite(SECU_ConfigDirectory(args.options[opt_CertDir].arg)); ++ if (rv != SECSuccess) { ++ SECU_PrintPRandOSError(progName); ++ return 255; ++ } ++ PK11_SetPasswordFunc(SECU_GetModulePassword); ++ ++ /* below here, goto cleanup */ ++ SECU_RegisterDynamicOids(); ++ ++ /* handle the arguments */ ++ if (args.options[opt_PWFile].arg) { ++ pwArgs.source = PW_FROMFILE; ++ pwArgs.data = args.options[opt_PWFile].arg; ++ } ++ if (args.options[opt_PWString].arg) { ++ pwArgs.source = PW_PLAINTEXT; ++ pwArgs.data = args.options[opt_PWString].arg; ++ } ++ if (args.options[opt_NoRSA].activated) { ++ doRSA = PR_FALSE; ++ } ++ if (args.options[opt_NoDSA].activated) { ++ doDSA = PR_FALSE; ++ } ++ if (args.options[opt_NoDH].activated) { ++ doDH = PR_FALSE; ++ } ++ if (args.options[opt_NoEC].activated) { ++ doEC = PR_FALSE; ++ } ++ ++ slot = PK11_GetInternalKeySlot(); ++ if (slot == NULL) { ++ SECU_PrintError(progName, "Couldn't find the internal key slot\n"); ++ return 255; ++ } ++ rv = PK11_Authenticate(slot, PR_TRUE, &pwArgs); ++ if (rv != SECSuccess) { ++ SECU_PrintError(progName, "Failed to log into slot"); ++ PK11_FreeSlot(slot); ++ return 255; ++ } ++ ++ keySize = 1024; ++ if (args.options[opt_KeySize].activated && ++ args.options[opt_KeySize].arg) { ++ keySize = atoi(args.options[opt_KeySize].arg); ++ } ++ ++ if (doDSA || doDH) { ++ PQGVerify *pqgVfy; ++ rv = PK11_PQG_ParamGenV2(keySize, 0, keySize / 16, &pqgParams, &pqgVfy); ++ if (rv == SECSuccess) { ++ PK11_PQG_DestroyVerify(pqgVfy); ++ } else { ++ SECU_PrintError(progName, ++ "PK11_PQG_ParamGenV2 failed, can't test DH or DSA"); ++ doDSA = doDH = PR_FALSE; ++ failed = PR_TRUE; ++ } ++ } ++ ++ if (doRSA) { ++ PK11RSAGenParams rsaParams; ++ rsaParams.keySizeInBits = keySize; ++ rsaParams.pe = 0x010001; ++ rv = handleEncryptedPrivateImportTest(progName, slot, "RSA", ++ CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, &pwArgs); ++ if (rv != SECSuccess) { ++ fprintf(stderr, "RSA Import Failed!\n"); ++ failed = PR_TRUE; ++ } ++ } ++ if (doDSA) { ++ rv = handleEncryptedPrivateImportTest(progName, slot, "DSA", ++ CKM_DSA_KEY_PAIR_GEN, pqgParams, &pwArgs); ++ if (rv != SECSuccess) { ++ fprintf(stderr, "DSA Import Failed!\n"); ++ failed = PR_TRUE; ++ } ++ } ++ if (doDH) { ++ SECKEYDHParams dhParams; ++ dhParams.prime = pqgParams->prime; ++ dhParams.base = pqgParams->base; ++ rv = handleEncryptedPrivateImportTest(progName, slot, "DH", ++ CKM_DH_PKCS_KEY_PAIR_GEN, &dhParams, &pwArgs); ++ if (rv != SECSuccess) { ++ fprintf(stderr, "DH Import Failed!\n"); ++ failed = PR_TRUE; ++ } ++ } ++ if (doEC) { ++ SECKEYECParams ecParams; ++ SECOidData *curve = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP256R1); ++ if (args.options[opt_ECCurve].activated && ++ args.options[opt_ECCurve].arg) { ++ curve = getCurveFromString(args.options[opt_ECCurve].arg); ++ } ++ ecParams.data = PORT_Alloc(curve->oid.len + 2); ++ if (ecParams.data == NULL) { ++ rv = SECFailure; ++ goto ec_failed; ++ } ++ ecParams.data[0] = SEC_ASN1_OBJECT_ID; ++ ecParams.data[1] = (unsigned char)curve->oid.len; ++ PORT_Memcpy(&ecParams.data[2], curve->oid.data, curve->oid.len); ++ ecParams.len = curve->oid.len + 2; ++ rv = handleEncryptedPrivateImportTest(progName, slot, "ECC", ++ CKM_EC_KEY_PAIR_GEN, &ecParams, &pwArgs); ++ PORT_Free(ecParams.data); ++ ec_failed: ++ if (rv != SECSuccess) { ++ fprintf(stderr, "ECC Import Failed!\n"); ++ failed = PR_TRUE; ++ } ++ } ++ ++ if (pqgParams) { ++ PK11_PQG_DestroyParams(pqgParams); ++ } ++ ++ if (slot) { ++ PK11_FreeSlot(slot); ++ } ++ ++ rv = NSS_Shutdown(); ++ if (rv != SECSuccess) { ++ fprintf(stderr, "Shutdown failed\n"); ++ SECU_PrintPRandOSError(progName); ++ return 255; ++ } ++ ++ return failed ? 1 : 0; ++} +diff --git a/cmd/pk11import/pk11import.gyp b/cmd/pk11import/pk11import.gyp +new file mode 100644 +--- /dev/null ++++ b/cmd/pk11import/pk11import.gyp +@@ -0,0 +1,25 @@ ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++{ ++ 'includes': [ ++ '../../coreconf/config.gypi', ++ '../../cmd/platlibs.gypi' ++ ], ++ 'targets': [ ++ { ++ 'target_name': 'pk11import', ++ 'type': 'executable', ++ 'sources': [ ++ 'pk11import.c' ++ ], ++ 'dependencies': [ ++ '<(DEPTH)/exports.gyp:dbm_exports', ++ '<(DEPTH)/exports.gyp:nss_exports' ++ ] ++ } ++ ], ++ 'variables': { ++ 'module': 'nss' ++ } ++} +diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c +--- a/lib/pk11wrap/pk11akey.c ++++ b/lib/pk11wrap/pk11akey.c +@@ -1672,16 +1672,96 @@ PK11_MakeKEAPubKey(unsigned char *keyDat + rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData); + if (rv != SECSuccess) { + PORT_FreeArena(arena, PR_FALSE); + return NULL; + } + return pubk; + } + ++SECStatus ++SECKEY_SetPublicValue(SECKEYPrivateKey *privKey, SECItem *publicValue) ++{ ++ SECStatus rv; ++ SECKEYPublicKey pubKey; ++ PLArenaPool *arena; ++ PK11SlotInfo *slot = privKey->pkcs11Slot; ++ CK_OBJECT_HANDLE privKeyID = privKey->pkcs11ID; ++ ++ pubKey.arena = NULL; ++ pubKey.keyType = privKey->keyType; ++ pubKey.pkcs11Slot = NULL; ++ pubKey.pkcs11ID = CK_INVALID_HANDLE; ++ /* can't use PORT_InitCheapArena here becase SECKEY_DestroyPublic is used ++ * to free it, and it uses PORT_FreeArena which not only frees the ++ * underlying arena, it also frees the allocated arena struct. */ ++ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); ++ pubKey.arena = arena; ++ if (arena == NULL) { ++ return SECFailure; ++ } ++ rv = SECFailure; ++ switch (privKey->keyType) { ++ default: ++ /* error code already set to SECFailure */ ++ break; ++ case rsaKey: ++ pubKey.u.rsa.modulus = *publicValue; ++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_PUBLIC_EXPONENT, ++ arena, &pubKey.u.rsa.publicExponent); ++ break; ++ case dsaKey: ++ pubKey.u.dsa.publicValue = *publicValue; ++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_PRIME, ++ arena, &pubKey.u.dsa.params.prime); ++ if (rv != SECSuccess) { ++ break; ++ } ++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_SUBPRIME, ++ arena, &pubKey.u.dsa.params.subPrime); ++ if (rv != SECSuccess) { ++ break; ++ } ++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_BASE, ++ arena, &pubKey.u.dsa.params.base); ++ break; ++ case dhKey: ++ pubKey.u.dh.publicValue = *publicValue; ++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_PRIME, ++ arena, &pubKey.u.dh.prime); ++ if (rv != SECSuccess) { ++ break; ++ } ++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_BASE, ++ arena, &pubKey.u.dh.base); ++ break; ++ case ecKey: ++ pubKey.u.ec.publicValue = *publicValue; ++ pubKey.u.ec.encoding = ECPoint_Undefined; ++ pubKey.u.ec.size = 0; ++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_EC_PARAMS, ++ arena, &pubKey.u.ec.DEREncodedParams); ++ break; ++ } ++ if (rv == SECSuccess) { ++ rv = PK11_ImportPublicKey(slot, &pubKey, PR_TRUE); ++ } ++ /* Even though pubKey is stored on the stack, we've allocated ++ * some of it's data from the arena. SECKEY_DestroyPublicKey ++ * destroys keys by freeing the arena, so this will clean up all ++ * the data we allocated specifically for the key above. It will ++ * also free any slot references which we may have picked up in ++ * PK11_ImportPublicKey. It won't delete the underlying key if ++ * its a Token/Permanent key (which it will be if ++ * PK11_ImportPublicKey succeeds). */ ++ SECKEY_DestroyPublicKey(&pubKey); ++ ++ return rv; ++} ++ + /* + * NOTE: This function doesn't return a SECKEYPrivateKey struct to represent + * the new private key object. If it were to create a session object that + * could later be looked up by its nickname, it would leak a SECKEYPrivateKey. + * So isPerm must be true. + */ + SECStatus + PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot, +@@ -1797,22 +1877,16 @@ try_faulty_3des: + + PORT_Assert(usage != NULL); + PORT_Assert(usageCount != 0); + privKey = PK11_UnwrapPrivKey(slot, key, cryptoMechType, + crypto_param, &epki->encryptedData, + nickname, publicValue, isPerm, isPrivate, + key_type, usage, usageCount, wincx); + if (privKey) { +- if (privk) { +- *privk = privKey; +- } else { +- SECKEY_DestroyPrivateKey(privKey); +- } +- privKey = NULL; + rv = SECSuccess; + goto done; + } + + /* if we are unable to import the key and the pbeMechType is + * CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that + * the encrypted blob was created with a buggy key generation method + * which is described in the PKCS 12 implementation notes. So we +@@ -1832,16 +1906,35 @@ try_faulty_3des: + faulty3DES = PR_TRUE; + goto try_faulty_3des; + } + + /* key import really did fail */ + rv = SECFailure; + + done: ++ if ((rv == SECSuccess) && isPerm) { ++ /* If we are importing a token object, ++ * create the corresponding public key. ++ * If this fails, just continue as the target ++ * token simply might not support persistant ++ * public keys. Such tokens are usable, but ++ * need to be authenticated before searching ++ * for user certs. */ ++ (void)SECKEY_SetPublicValue(privKey, publicValue); ++ } ++ ++ if (privKey) { ++ if (privk) { ++ *privk = privKey; ++ } else { ++ SECKEY_DestroyPrivateKey(privKey); ++ } ++ privKey = NULL; ++ } + if (crypto_param != NULL) { + SECITEM_ZfreeItem(crypto_param, PR_TRUE); + } + + if (key != NULL) { + PK11_FreeSymKey(key); + } + +diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c +--- a/lib/softoken/pkcs11.c ++++ b/lib/softoken/pkcs11.c +@@ -1810,29 +1810,36 @@ sftk_GetPubKey(SFTKObject *object, CK_KE + * Some curves are always pressumed to be non-DER. + */ + if (pubKey->u.ec.publicValue.len == keyLen && + (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain || + pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) { + break; /* key was not DER encoded, no need to unwrap */ + } + +- PORT_Assert(pubKey->u.ec.ecParams.name != ECCurve25519); ++ /* The PKCS #11 spec says that the Params should be DER encoded. Even though the params from the ++ * Certificate aren't according the the ECCurve 25519 spec. We should accept this encoding. ++ PORT_Assert(pubKey->u.ec.ecParams.name != ECCurve25519); */ + + /* handle the encoded case */ + if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) && + pubKey->u.ec.publicValue.len > keyLen) { + SECItem publicValue; + SECStatus rv; + + rv = SEC_QuickDERDecodeItem(arena, &publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate), + &pubKey->u.ec.publicValue); + /* nope, didn't decode correctly */ +- if ((rv != SECSuccess) || (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) || (publicValue.len != keyLen)) { ++ if ((rv != SECSuccess) || (publicValue.len != keyLen)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ break; ++ } ++ /* we don't handle compressed points except in the case of ECCurve25519 */ ++ if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) && (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + /* replace our previous with the decoded key */ + pubKey->u.ec.publicValue = publicValue; + break; + } + crv = CKR_ATTRIBUTE_VALUE_INVALID; +diff --git a/nss.gyp b/nss.gyp +--- a/nss.gyp ++++ b/nss.gyp +@@ -159,16 +159,17 @@ + 'cmd/oidcalc/oidcalc.gyp:oidcalc', + 'cmd/p7content/p7content.gyp:p7content', + 'cmd/p7env/p7env.gyp:p7env', + 'cmd/p7sign/p7sign.gyp:p7sign', + 'cmd/p7verify/p7verify.gyp:p7verify', + 'cmd/pk11ectest/pk11ectest.gyp:pk11ectest', + 'cmd/pk11gcmtest/pk11gcmtest.gyp:pk11gcmtest', + 'cmd/pk11mode/pk11mode.gyp:pk11mode', ++ 'cmd/pk11import/pk11import.gyp:pk11import', + 'cmd/pk1sign/pk1sign.gyp:pk1sign', + 'cmd/pp/pp.gyp:pp', + 'cmd/rsaperf/rsaperf.gyp:rsaperf', + 'cmd/rsapoptst/rsapoptst.gyp:rsapoptst', + 'cmd/sdrtest/sdrtest.gyp:sdrtest', + 'cmd/selfserv/selfserv.gyp:selfserv', + 'cmd/shlibsign/mangle/mangle.gyp:mangle', + 'cmd/strsclnt/strsclnt.gyp:strsclnt', +diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh +--- a/tests/dbtests/dbtests.sh ++++ b/tests/dbtests/dbtests.sh +@@ -247,16 +247,35 @@ dbtest_main() + # the old one should still be there... + ${BINDIR}/certutil -L -n bob -d ${CONFLICT_DIR} + ret=$? + if [ $ret -ne 0 ]; then + html_failed "Nicknane conflict test-setting nickname conflict incorrectly worked" + else + html_passed "Nicknane conflict test-setting nickname conflict was correctly rejected" + fi +- ++ # import a token private key and make sure the corresponding public key is ++ # created ++ ${BINDIR}/pk11import -d ${CONFLICT_DIR} -f ${R_PWFILE} ++ echo ${BINDIR}/pk11import -d ${CONFLICT_DIR} -f ${R_PWFILE} ++ ret=$? ++ if [ $ret -ne 0 ]; then ++ html_failed "Importing Token Private Key does not create the corrresponding Public Key" ++ else ++ html_passed "Importing Token Private Key correctly creates the corrresponding Public Key" ++ fi ++ # import a token private key and make sure the corresponding public key is ++ # created ++ ${BINDIR}/pk11import -r -D -h -C Curve25519 -d ${CONFLICT_DIR} -f ${R_PWFILE} ++ echo ${BINDIR}/pk11import -r -D -h -C Curve25519 -d ${CONFLICT_DIR} -f ${R_PWFILE} ++ ret=$? ++ if [ $ret -ne 0 ]; then ++ html_failed "Importing ECC Curve 25519 Token Private Key does not create the corrresponding Public Key" ++ else ++ html_passed "Importing ECC Curve 25519 Token Private Key correctly creates the corrresponding Public Key" ++ fi + } + + ################## main ################################################# + + dbtest_init + dbtest_main 2>&1 + dbtest_cleanup diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch new file mode 100644 index 0000000..267e71e --- /dev/null +++ b/SOURCES/nss-539183.patch @@ -0,0 +1,62 @@ +--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700 ++++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700 +@@ -953,23 +953,23 @@ + getBoundListenSocket(unsigned short port) + { + PRFileDesc *listen_sock; + int listenQueueDepth = 5 + (2 * maxThreads); + PRStatus prStatus; + PRNetAddr addr; + PRSocketOptionData opt; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSockett"); + } + + opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(listen_sock, &opt); + if (prStatus < 0) { + PR_Close(listen_sock); + errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); +--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700 ++++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700 +@@ -1711,23 +1711,23 @@ + getBoundListenSocket(unsigned short port) + { + PRFileDesc *listen_sock; + int listenQueueDepth = 5 + (2 * maxThreads); + PRStatus prStatus; + PRNetAddr addr; + PRSocketOptionData opt; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSocket error"); + } + + opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(listen_sock, &opt); + if (prStatus < 0) { + PR_Close(listen_sock); + errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); diff --git a/SOURCES/nss-config.in b/SOURCES/nss-config.in new file mode 100644 index 0000000..f8f893e --- /dev/null +++ b/SOURCES/nss-config.in @@ -0,0 +1,145 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_ssl=yes +lib_smime=yes +lib_nss=yes +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + ssl) + lib_ssl=yes + ;; + smime) + lib_smime=yes + ;; + nss) + lib_nss=yes + ;; + nssutil) + lib_nssutil=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_ssl"; then + libdirs="$libdirs -lssl${major_version}" + fi + if test -n "$lib_smime"; then + libdirs="$libdirs -lsmime${major_version}" + fi + if test -n "$lib_nss"; then + libdirs="$libdirs -lnss${major_version}" + fi + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/SOURCES/nss-dsa.patch b/SOURCES/nss-dsa.patch new file mode 100644 index 0000000..6a068f7 --- /dev/null +++ b/SOURCES/nss-dsa.patch @@ -0,0 +1,170 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1542120846 -3600 +# Tue Nov 13 15:54:06 2018 +0100 +# Node ID 5046749fa8a56a99c251bc1cdd1b3302f43947d2 +# Parent 0d97145d524ab35b8bc2a4a8aea60a83bd244f14 +Bug 1493936, add a new "DSA" policy keyword + +Summary: +This adds a new policy keyword "DSA" to explicitly disable DSA in TLS 1.2 or earlier. + +We could make this a bit more generic, e.g., by adding "ECDSA", "RSA-PSS" etc. However, considering the current use of policy in [fedora-crypto-policies](https://gitlab.com/redhat-crypto/fedora-crypto-policies), I realized that adding new keywords may cause compatibility problems; because the Fedora configuration has `disallow=ALL`, all new keywords would be disabled by default. I think it's okay for DSA, though. + +Reviewers: kaie + +Reviewed By: kaie + +Bug #: 1493936 + +Differential Revision: https://phabricator.services.mozilla.com/D6777 + +diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c +--- a/lib/certhigh/certvfy.c ++++ b/lib/certhigh/certvfy.c +@@ -37,7 +37,7 @@ CERT_CertTimesValid(CERTCertificate *c) + return (valid == secCertTimeValid) ? SECSuccess : SECFailure; + } + +-SECStatus ++static SECStatus + checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key) + { + SECStatus rv; +@@ -47,6 +47,12 @@ checkKeyParams(const SECAlgorithmID *sig + PRInt32 minLen, len; + + sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm); ++ rv = NSS_GetAlgorithmPolicy(sigAlg, &policyFlags); ++ if (rv == SECSuccess && ++ !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) { ++ PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED); ++ return SECFailure; ++ } + + switch (sigAlg) { + case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: +diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c +--- a/lib/pk11wrap/pk11pars.c ++++ b/lib/pk11wrap/pk11pars.c +@@ -384,18 +384,26 @@ static const oidValDef kxOptList[] = { + { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX }, + }; + ++static const oidValDef signOptList[] = { ++ /* Signatures */ ++ { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE, ++ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, ++}; ++ + typedef struct { + const oidValDef *list; + PRUint32 entries; + const char *description; ++ PRBool allowEmpty; + } algListsDef; + + static const algListsDef algOptLists[] = { +- { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC" }, +- { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH" }, +- { macOptList, PR_ARRAY_SIZE(macOptList), "MAC" }, +- { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER" }, +- { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX" }, ++ { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC", PR_FALSE }, ++ { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH", PR_FALSE }, ++ { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE }, ++ { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE }, ++ { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE }, ++ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE }, + }; + + static const optionFreeDef sslOptList[] = { +@@ -718,7 +726,7 @@ secmod_sanityCheckCryptoPolicy(void) + for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) { + const algListsDef *algOptList = &algOptLists[i]; + fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s: %u\n", enabledCount[i] ? sInfo : sWarn, algOptList->description, enabledCount[i]); +- if (!enabledCount[i]) { ++ if (!enabledCount[i] && !algOptList->allowEmpty) { + haveWarning = PR_TRUE; + } + } +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -64,6 +64,7 @@ static SECStatus ssl3_FlushHandshakeMess + static CK_MECHANISM_TYPE ssl3_GetHashMechanismByHashType(SSLHashType hashType); + static CK_MECHANISM_TYPE ssl3_GetMgfMechanismByHashType(SSLHashType hash); + PRBool ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme); ++PRBool ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme); + + const PRUint8 ssl_hello_retry_random[] = { + 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, +@@ -4309,6 +4310,22 @@ ssl_IsRsaPssSignatureScheme(SSLSignature + return PR_FALSE; + } + ++PRBool ++ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme) ++{ ++ switch (scheme) { ++ case ssl_sig_dsa_sha256: ++ case ssl_sig_dsa_sha384: ++ case ssl_sig_dsa_sha512: ++ case ssl_sig_dsa_sha1: ++ return PR_TRUE; ++ ++ default: ++ return PR_FALSE; ++ } ++ return PR_FALSE; ++} ++ + SSLAuthType + ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme) + { +@@ -6017,6 +6034,13 @@ ssl_CanUseSignatureScheme(SSLSignatureSc + return PR_FALSE; + } + ++ if (ssl_IsDsaSignatureScheme(scheme) && ++ (NSS_GetAlgorithmPolicy(SEC_OID_ANSIX9_DSA_SIGNATURE, &policy) == ++ SECSuccess) && ++ !(policy & NSS_USE_ALG_IN_SSL_KX)) { ++ return PR_FALSE; ++ } ++ + hashType = ssl_SignatureSchemeToHashType(scheme); + if (requireSha1 && (hashType != ssl_hash_sha1)) { + return PR_FALSE; +@@ -9490,6 +9514,14 @@ ssl3_EncodeSigAlgs(const sslSocket *ss, + continue; + } + ++ /* Skip DSA scheme if it is disabled by policy. */ ++ if (ssl_IsDsaSignatureScheme(ss->ssl3.signatureSchemes[i]) && ++ (NSS_GetAlgorithmPolicy(SEC_OID_ANSIX9_DSA_SIGNATURE, &policy) == ++ SECSuccess) && ++ !(policy & NSS_USE_ALG_IN_SSL_KX)) { ++ continue; ++ } ++ + if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) || + (policy & NSS_USE_ALG_IN_SSL_KX)) { + rv = sslBuffer_AppendNumber(buf, ss->ssl3.signatureSchemes[i], 2); +diff --git a/tests/ssl/sslpolicy.txt b/tests/ssl/sslpolicy.txt +--- a/tests/ssl/sslpolicy.txt ++++ b/tests/ssl/sslpolicy.txt +@@ -74,6 +74,8 @@ + # SECT409R1 + # SECT571K1 + # SECT571R1 ++# Signatures: ++# DSA + # Hashes: + # MD2 + # MD4 +@@ -172,3 +174,4 @@ + 1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly + 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow. + 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly. ++ 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly. diff --git a/SOURCES/nss-dso-ldflags.patch b/SOURCES/nss-dso-ldflags.patch new file mode 100644 index 0000000..fe39ae3 --- /dev/null +++ b/SOURCES/nss-dso-ldflags.patch @@ -0,0 +1,22 @@ +diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk +--- a/coreconf/Linux.mk ++++ b/coreconf/Linux.mk +@@ -135,17 +135,17 @@ ifeq ($(KERNEL),Linux) + endif + OS_LIBS = $(OS_PTHREAD) -ldl -lc + + ifdef USE_PTHREADS + DEFINES += -D_REENTRANT + endif + + DSO_CFLAGS = -fPIC +-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections ++DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS) + # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8) + # incorrectly reports undefined references in the libraries we link with, so + # we don't use -z defs there. + # Also, -z defs conflicts with Address Sanitizer, which emits relocations + # against the libsanitizer runtime built into the main executable. + ZDEFS_FLAG = -Wl,-z,defs + DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG)) + LDFLAGS += $(ARCHFLAG) -z noexecstack diff --git a/SOURCES/nss-manpage-fixes.patch b/SOURCES/nss-manpage-fixes.patch new file mode 100644 index 0000000..ae2b2fd --- /dev/null +++ b/SOURCES/nss-manpage-fixes.patch @@ -0,0 +1,170 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1544699159 -3600 +# Thu Dec 13 12:05:59 2018 +0100 +# Node ID 0124a811bdf7abfe4bcf135ccc8c719b14db0580 +# Parent 5b2efc615899a283c1ab2e26ddb41684aeae60f0 +Add manual for nss-policy-check + +diff --git a/doc/Makefile b/doc/Makefile +--- a/doc/Makefile ++++ b/doc/Makefile +@@ -21,7 +21,7 @@ all: prepare all-man all-html + prepare: date-and-version + mkdir -p html + mkdir -p nroff +- ++ + clean: + rm -f date.xml version.xml *.tar.bz2 + rm -f html/*.proc +@@ -45,11 +45,11 @@ version.xml: + + nroff/%.1 : %.xml + $(COMPILE.1) $< +- ++ + MANPAGES = \ + nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \ + nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \ +-nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 ++nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1 + + all-man: prepare $(MANPAGES) + +@@ -64,6 +64,6 @@ html/%.html : %.xml + HTMLPAGES = \ + html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \ + html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \ +-html/vfychain.html html/vfyserv.html ++html/vfychain.html html/vfyserv.html html/nss-policy-check.html + + all-html: prepare $(HTMLPAGES) +diff --git a/doc/certutil.xml b/doc/certutil.xml +--- a/doc/certutil.xml ++++ b/doc/certutil.xml +@@ -180,6 +180,10 @@ For certificate requests, ASCII output d + + + ++ --simple-self-signed ++ When printing the certificate chain, don't search for a chain if issuer name equals to subject name. ++ ++ + -b validity-time + Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the option. The format of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be set relative to the validity end time. Specifying seconds (SS) is optional. When specifying an explicit time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it. When specifying an offset time, use YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively. + +diff --git a/doc/nss-policy-check.xml b/doc/nss-policy-check.xml +new file mode 100644 +--- /dev/null ++++ b/doc/nss-policy-check.xml +@@ -0,0 +1,97 @@ ++ ++ ++ ++]> ++ ++ ++ ++ ++ &date; ++ NSS Security Tools ++ nss-tools ++ &version; ++ ++ ++ ++ NSS-POLICY-CHECK ++ 1 ++ ++ ++ ++ nss-policy-check ++ nss-policy-check policy-file ++ ++ ++ ++ ++ nss-policy-check ++ ++ ++ ++ ++ Description ++ nss-policy-check verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library. ++ ++ The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database. ++ ++ ++ ++ Usage and Examples ++ To check the global crypto-policy configuration in /etc/crypto-policies/back-ends/nss.config: ++ ++ $ nss-policy-check /etc/crypto-policies/back-ends/nss.config ++NSS-POLICY-INFO: LOADED-SUCCESSFULLY ++NSS-POLICY-INFO: PRIME256V1 is enabled for KX ++NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE ++NSS-POLICY-INFO: SECP256R1 is enabled for KX ++NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE ++NSS-POLICY-INFO: SECP384R1 is enabled for KX ++NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE ++... ++NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13 ++NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9 ++NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9 ++... ++NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled ++NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled ++NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled ++... ++NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24 ++NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3 ++NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2 ++ ++ If there is a failure or warning, it will be prefixed with ++ NSS-POLICY-FAIL or NSS-POLICY_WARN. ++ ++ nss-policy-check exits with 2 if any ++ failure is found, 1 if any warning is found, or 0 if no errors are ++ found. ++ ++ ++ ++ ++ Additional Resources ++ For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. ++ Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto ++ IRC: Freenode at #dogtag-pki ++ ++ ++ ++ ++ Authors ++ The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. ++ ++ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. ++ ++ ++ ++ ++ ++ LICENSE ++ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++ ++ ++ +diff --git a/doc/pk12util.xml b/doc/pk12util.xml +--- a/doc/pk12util.xml ++++ b/doc/pk12util.xml +@@ -108,7 +108,7 @@ + + + +- -n | --cert-key-len certKeyLength ++ --cert-key-len certKeyLength + Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data. + + diff --git a/SOURCES/nss-p11-kit.config b/SOURCES/nss-p11-kit.config new file mode 100644 index 0000000..0ebf073 --- /dev/null +++ b/SOURCES/nss-p11-kit.config @@ -0,0 +1,4 @@ +name=p11-kit-proxy +library=p11-kit-proxy.so + + diff --git a/SOURCES/nss-softokn-config.in b/SOURCES/nss-softokn-config.in new file mode 100644 index 0000000..c7abe29 --- /dev/null +++ b/SOURCES/nss-softokn-config.in @@ -0,0 +1,116 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-softokn` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-softokn` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-softokn` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + echo $libdirs +fi + diff --git a/SOURCES/nss-softokn-dracut-module-setup.sh b/SOURCES/nss-softokn-dracut-module-setup.sh new file mode 100644 index 0000000..010ec18 --- /dev/null +++ b/SOURCES/nss-softokn-dracut-module-setup.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +check() { + return 255 +} + +depends() { + return 0 +} + +install() { + local _dir + + inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \ + libfreebl3.so +} diff --git a/SOURCES/nss-softokn-dracut.conf b/SOURCES/nss-softokn-dracut.conf new file mode 100644 index 0000000..2d9232e --- /dev/null +++ b/SOURCES/nss-softokn-dracut.conf @@ -0,0 +1,3 @@ +# turn on nss-softokn module + +add_dracutmodules+=" nss-softokn " diff --git a/SOURCES/nss-softokn-prelink.conf b/SOURCES/nss-softokn-prelink.conf new file mode 100644 index 0000000..11d7fb0 --- /dev/null +++ b/SOURCES/nss-softokn-prelink.conf @@ -0,0 +1,6 @@ +-b /lib{,64}/libfreeblpriv3.so +-b /lib{,64}/libsoftokn3.so +-b /lib{,64}/libnssdbm3.so +-b /usr/lib{,64}/libfreeblpriv3.so +-b /usr/lib{,64}/libsoftokn3.so +-b /usr/lib{,64}/libnssdbm3.so diff --git a/SOURCES/nss-softokn.pc.in b/SOURCES/nss-softokn.pc.in new file mode 100644 index 0000000..022ebbf --- /dev/null +++ b/SOURCES/nss-softokn.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-SOFTOKN +Description: Network Security Services Softoken PKCS #11 Module +Version: %SOFTOKEN_VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 +Cflags: -I${includedir} diff --git a/SOURCES/nss-util-config.in b/SOURCES/nss-util-config.in new file mode 100644 index 0000000..532abbe --- /dev/null +++ b/SOURCES/nss-util-config.in @@ -0,0 +1,118 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-util` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-util` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-util` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/SOURCES/nss-util.pc.in b/SOURCES/nss-util.pc.in new file mode 100644 index 0000000..1310248 --- /dev/null +++ b/SOURCES/nss-util.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-UTIL +Description: Network Security Services Utility Library +Version: %NSSUTIL_VERSION% +Requires: nspr >= %NSPR_VERSION% +Libs: -L${libdir} -lnssutil3 +Cflags: -I${includedir} diff --git a/SOURCES/nss.pc.in b/SOURCES/nss.pc.in new file mode 100644 index 0000000..69823cb --- /dev/null +++ b/SOURCES/nss.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS +Description: Network Security Services +Version: %NSS_VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lssl3 -lsmime3 -lnss3 +Cflags: -I${includedir} diff --git a/SOURCES/pkcs11.txt.xml b/SOURCES/pkcs11.txt.xml new file mode 100644 index 0000000..d30e469 --- /dev/null +++ b/SOURCES/pkcs11.txt.xml @@ -0,0 +1,56 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + pkcs11.txt + 5 + + + + pkcs11.txt + NSS PKCS #11 module configuration file + + + + Description + +The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules. + + +For full documentation visit PKCS #11 Module Specs. + + + + + Files + /etc/pki/nssdb/pkcs11.txt + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + diff --git a/SOURCES/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/SOURCES/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch new file mode 100644 index 0000000..970c84e --- /dev/null +++ b/SOURCES/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch @@ -0,0 +1,14 @@ +diff -up nss/lib/ssl/ssl3con.c.1185708_3des nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.1185708_3des 2018-12-11 18:28:06.736592552 +0100 ++++ nss/lib/ssl/ssl3con.c 2018-12-11 18:29:06.273314692 +0100 +@@ -106,8 +106,8 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + diff --git a/SOURCES/setup-nsssysinit.sh b/SOURCES/setup-nsssysinit.sh new file mode 100755 index 0000000..8e1f5f7 --- /dev/null +++ b/SOURCES/setup-nsssysinit.sh @@ -0,0 +1,68 @@ +#!/bin/sh +# +# Turns on or off the nss-sysinit module db by editing the +# global PKCS #11 congiguration file. Displays the status. +# +# This script can be invoked by the user as super user. +# It is invoked at nss-sysinit post install time with argument on. +# +usage() +{ + cat <&2 +fi + +# the system-wide configuration file +p11conf="/etc/pki/nssdb/pkcs11.txt" +# must exist, otherwise report it and exit with failure +if [ ! -f $p11conf ]; then + echo "Could not find ${p11conf}" + exit 1 +fi + +# check if nsssysinit is currently enabled or disabled +sysinit_enabled() +{ + grep -q '^library=libnsssysinit' ${p11conf} +} + +umask 022 +case "$1" in + on | ON ) + if sysinit_enabled; then + exit 0 + fi + cat ${p11conf} | \ + sed -e 's/^library=$/library=libnsssysinit.so/' \ + -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ + ${p11conf}.on + mv ${p11conf}.on ${p11conf} + ;; + off | OFF ) + if ! sysinit_enabled; then + exit 0 + fi + cat ${p11conf} | \ + sed -e 's/^library=libnsssysinit.so/library=/' \ + -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ + ${p11conf}.off + mv ${p11conf}.off ${p11conf} + ;; + status ) + echo -n 'NSS sysinit is ' + sysinit_enabled && echo 'enabled' || echo 'disabled' + ;; + * ) + usage 1 1>&2 + ;; +esac diff --git a/SOURCES/system-pkcs11.txt b/SOURCES/system-pkcs11.txt new file mode 100644 index 0000000..c2f5704 --- /dev/null +++ b/SOURCES/system-pkcs11.txt @@ -0,0 +1,5 @@ +library=libnsssysinit.so +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/SPECS/nss.spec b/SPECS/nss.spec new file mode 100644 index 0000000..ddbb575 --- /dev/null +++ b/SPECS/nss.spec @@ -0,0 +1,2287 @@ +%global nspr_version 4.20.0 +%global nss_version 3.41.0 +%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%global saved_files_dir %{_libdir}/nss/saved +%global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/ +%global dracutlibdir %{_prefix}/lib/dracut +%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/ +%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d + +%bcond_without tests + +# Produce .chk files for the final stripped binaries +# +# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links +# against the freebl that we just built. This is necessary +# because the signing algorithm changed on 3.14 to DSA2 with SHA256 +# whereas we previously signed with DSA and SHA1. We must Keep this line +# until all mock platforms have been updated. +# After %%{__os_install_post} we would add +# export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \ +%{nil} + +# The upstream omits the trailing ".0", while we need it for +# consistency with the pkg-config version: +# https://bugzilla.redhat.com/show_bug.cgi?id=1578106 +%{lua: +rpm.define(string.format("nss_archive_version %s", + string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1"))) +} + +%{lua: +rpm.define(string.format("nss_release_tag NSS_%s_RTM", + string.gsub(rpm.expand("%nss_archive_version"), "%.", "_"))) +} + +Summary: Network Security Services +Name: nss +Version: %{nss_version} +Release: 5%{?dist} +License: MPLv2.0 +URL: http://www.mozilla.org/projects/security/pki/nss/ +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{nss_version} +# TODO: revert to same version as nss once we are done with the merge +Requires: nss-softokn%{_isa} >= %{nss_version} +Requires: nss-system-init +Requires: p11-kit-trust +Requires: crypto-policies +BuildRequires: nspr-devel >= %{nspr_version} +# for shlibsign +BuildRequires: nss-softokn +BuildRequires: sqlite-devel +BuildRequires: zlib-devel +BuildRequires: pkgconfig +BuildRequires: gawk +BuildRequires: psmisc +BuildRequires: perl-interpreter +BuildRequires: gcc-c++ + +Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz +Source1: nss-util.pc.in +Source2: nss-util-config.in +Source3: nss-softokn.pc.in +Source4: nss-softokn-config.in +Source5: nss-softokn-prelink.conf +Source6: nss-softokn-dracut-module-setup.sh +Source7: nss-softokn-dracut.conf +Source8: nss.pc.in +Source9: nss-config.in +Source10: blank-cert8.db +Source11: blank-key3.db +Source12: blank-secmod.db +Source13: blank-cert9.db +Source14: blank-key4.db +Source15: system-pkcs11.txt +Source16: setup-nsssysinit.sh +Source20: nss-config.xml +Source21: setup-nsssysinit.xml +Source22: pkcs11.txt.xml +Source23: cert8.db.xml +Source24: cert9.db.xml +Source25: key3.db.xml +Source26: key4.db.xml +Source27: secmod.db.xml +Source28: nss-p11-kit.config + +# To inject hardening flags for DSO +Patch1: nss-dso-ldflags.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 +Patch2: nss-539183.patch +# This patch uses the GCC -iquote option documented at +# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options +# to give the in-tree headers a higher priority over the system headers, +# when they are included through the quote form (#include "file.h"). +# +# This ensures a build even when system headers are older. Such is the +# case when starting an update with API changes or even private export +# changes. +# +# Once the buildroot aha been bootstrapped the patch may be removed +# but it doesn't hurt to keep it. +Patch4: iquote.patch +# Local patch for enabling FIPS when the system is in FIPS mode: +# https://bugzilla.redhat.com/show_bug.cgi?id=852023 +Patch55: enable-fips-when-system-is-in-fips-mode.patch +# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers +Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1493936 +Patch129: nss-dsa.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1496124 +Patch150: nss-3.39-create-public-key-on-private-import.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1513909 +Patch151: nss-manpage-fixes.patch + +%description +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled client and +server applications. Applications built with NSS can support SSL v2 +and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 +v3 certificates, and other security standards. + +%package tools +Summary: Tools for the Network Security Services +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled client and +server applications. Applications built with NSS can support SSL v2 +and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 +v3 certificates, and other security standards. + +Install the nss-tools package if you need command-line tools to +manipulate the NSS certificate and key database. + +%package sysinit +Summary: System NSS Initialization +# providing nss-system-init without version so that it can +# be replaced by a better one, e.g. supplied by the os vendor +Provides: nss-system-init +Requires: nss = %{version}-%{release} +Requires(post): coreutils, sed + +%description sysinit +Default Operating System module that manages applications loading +NSS globally on the system. This module loads the system defined +PKCS #11 modules for NSS and chains with other NSS modules to load +any system or user configured modules. + +%package devel +Summary: Development libraries for Network Security Services +Provides: nss-static = %{version}-%{release} +Requires: nss%{?_isa} = %{version}-%{release} +Requires: nss-util-devel +Requires: nss-softokn-devel +Requires: nspr-devel >= %{nspr_version} +Requires: pkgconfig +BuildRequires: xmlto + +%description devel +Header and Library files for doing development with Network Security Services. + + +%package pkcs11-devel +Summary: Development libraries for PKCS #11 (Cryptoki) using NSS +Provides: nss-pkcs11-devel-static = %{version}-%{release} +Requires: nss-devel = %{version}-%{release} +Requires: nss-softokn-freebl-devel = %{version}-%{release} + +%description pkcs11-devel +Library files for developing PKCS #11 modules using basic NSS +low level services. + + +%package util +Summary: Network Security Services Utilities Library +Requires: nspr >= %{nspr_version} + +%description util +Utilities for Network Security Services and the Softoken module + +%package util-devel +Summary: Development libraries for Network Security Services Utilities +Requires: nss-util%{?_isa} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: pkgconfig + +%description util-devel +Header and library files for doing development with Network Security Services. + + +%package softokn +Summary: Network Security Services Softoken Module +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{version}-%{release} +Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release} + +%description softokn +Network Security Services Softoken Cryptographic Module + +%package softokn-freebl +Summary: Freebl library for the Network Security Services +# For PR_GetEnvSecure() from nspr >= 4.12 +Requires: nspr >= 4.12 +# For NSS_SecureMemcmpZero() from nss-util >= 3.33 +Requires: nss-util >= 3.33 +Conflicts: nss < 3.12.2.99.3-5 +Conflicts: prelink < 0.4.3 +Conflicts: filesystem < 3 + +%description softokn-freebl +NSS Softoken Cryptographic Module Freebl Library + +Install the nss-softokn-freebl package if you need the freebl library. + +%package softokn-freebl-devel +Summary: Header and Library files for doing development with the Freebl library for NSS +Provides: nss-softokn-freebl-static = %{version}-%{release} +Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release} + +%description softokn-freebl-devel +NSS Softoken Cryptographic Module Freebl Library Development Tools +This package supports special needs of some PKCS #11 module developers and +is otherwise considered private to NSS. As such, the programming interfaces +may change and the usual NSS binary compatibility commitments do not apply. +Developers should rely only on the officially supported NSS public API. + +%package softokn-devel +Summary: Development libraries for Network Security Services +Requires: nss-softokn%{?_isa} = %{version}-%{release} +Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: nss-util-devel >= %{version}-%{release} +Requires: pkgconfig +BuildRequires: nspr-devel >= %{nspr_version} + +%description softokn-devel +Header and library files for doing development with Network Security Services. + + +%prep +%setup -q -n %{name}-%{nss_archive_version} +pushd nss +%autopatch -p1 +popd + + +%build + +export FREEBL_NO_DEPEND=1 + +# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets +# copied to dist and the rpm install phase can find it +# This due of the upstream changes to fix +# https://bugzilla.mozilla.org/show_bug.cgi?id=717906 +export FREEBL_LOWHASH=1 + +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 + +export NSS_FORCE_FIPS=1 + +# Enable compiler optimizations and disable debugging code +export BUILD_OPT=1 + +# Uncomment to disable optimizations +#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` +#export RPM_OPT_FLAGS + +# Generate symbolic info for debuggers +export XCFLAGS=$RPM_OPT_FLAGS + +export LDFLAGS=$RPM_LD_FLAGS + +export DSO_LDFLAGS=$RPM_LD_FLAGS + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +export NSPR_LIB_DIR=%{_libdir} + +export NSS_USE_SYSTEM_SQLITE=1 + +export NSS_ALLOW_SSLKEYLOGFILE=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +export USE_64=1 +%endif +%endif + +##### phase 2: build the rest of nss +make -C ./nss/coreconf +make -C ./nss/lib/dbm + +# Set the policy file location +# if set NSS will always check for the policy file and load if it exists +export POLICY_FILE="nss.config" +# location of the policy file +export POLICY_PATH="/etc/crypto-policies/back-ends" + +make -C ./nss + +# build the man pages clean +pushd ./nss +make clean_docs build_docs +popd + +# and copy them to the dist directory for %%install to find them +mkdir -p ./dist/docs/nroff +cp ./nss/doc/nroff/* ./dist/docs/nroff + +# Set up our package files +mkdir -p ./dist/pkgconfig + +cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-util.pc + +NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'` +NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'` +NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'` + +cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \ + > ./dist/pkgconfig/nss-util-config + +chmod 755 ./dist/pkgconfig/nss-util-config + +cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-softokn.pc + +SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'` +SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'` +SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'` + +cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \ + > ./dist/pkgconfig/nss-softokn-config + +chmod 755 ./dist/pkgconfig/nss-softokn-config + +cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSS_VERSION%%,%{version},g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \ + ./dist/pkgconfig/nss.pc + +NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` +NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` +NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` + +cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ + > ./dist/pkgconfig/nss-config + +chmod 755 ./dist/pkgconfig/nss-config + +cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh +chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh + +cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/ + +date +"%e %B %Y" | tr -d '\n' > date.xml +echo -n %{version} > version.xml + +# configuration files and setup script +for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do + cp ${m} . +done +for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do + xmlto man ${m} +done + +# nss databases considered to be configuration files +for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do + cp ${m} . +done +for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do + xmlto man ${m} +done + + +%check +%if %{with tests} +# Begin -- copied from the build section + +export FREEBL_NO_DEPEND=1 + +export BUILD_OPT=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +export USE_64=1 +%endif +%endif + +# End -- copied from the build section + +# This is necessary because the test suite tests algorithms that are +# disabled by the system policy. +export NSS_IGNORE_SYSTEM_POLICY=1 + +# enable the following line to force a test failure +# find ./nss -name \*.chk | xargs rm -f + +# Run test suite. +# In order to support multiple concurrent executions of the test suite +# (caused by concurrent RPM builds) on a single host, +# we'll use a random port. Also, we want to clean up any stuck +# selfserv processes. If process name "selfserv" is used everywhere, +# we can't simply do a "killall selfserv", because it could disturb +# concurrent builds. Therefore we'll do a search and replace and use +# a different process name. +# Using xargs doesn't mix well with spaces in filenames, in order to +# avoid weird quoting we'll require that no spaces are being used. + +SPACEISBAD=`find ./nss/tests | grep -c ' '` ||: +if [ $SPACEISBAD -ne 0 ]; then + echo "error: filenames containing space are not supported (xargs)" + exit 1 +fi +MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: +RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: +DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: +pushd "$DISTBINDIR" +ln -s selfserv $RANDSERV +popd +# man perlrun, man perlrequick +# replace word-occurrences of selfserv with selfserv_$MYRAND +find ./nss/tests -type f |\ + grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\ + grep -vw CVS |xargs grep -lw selfserv |\ + xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||: + +killall $RANDSERV || : + +rm -rf ./tests_results +pushd nss/tests +# all.sh is the test suite script + +# don't need to run all the tests when testing packaging +# nss_cycles: standard pkix upgradedb sharedb +# the full list from all.sh is: +# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy +# nss_ssl_run: cov auth stapling stress +# +# Uncomment these lines if you need to temporarily +# disable some test suites for faster test builds +# % define nss_ssl_tests "normal_fips" +# % define nss_ssl_run "cov" + +HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh +popd + +# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, +# Grep exits with status greater than 1 if an error ocurred. +# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, +# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas +# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. +killall $RANDSERV || : + +TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? + +if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then + echo "okay: test suite detected no failures" +else + if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then + # while a situation in which grep return status is 0 and it doesn't output + # anything shouldn't happen, set the default to something that is + # obviously wrong (-1) + echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" + exit 1 + else + if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then + echo "error: grep has not found log file" + exit 1 + else + echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" + exit 1 + fi + fi +fi +echo "test suite completed" +%endif + +%install + +# There is no make install target so we'll do it ourselves. + +mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3 +mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +mkdir -p $RPM_BUILD_ROOT/%{_bindir} +mkdir -p $RPM_BUILD_ROOT/%{_libdir} +mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory} +mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir} +mkdir -p $RPM_BUILD_ROOT/%{prelink_conf_dir} +mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir} +mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir} +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d +%if %{defined rhel} +# not needed for rhel and its derivatives only fedora +%else +# because of the pp.1 conflict with perl-PAR-Packer +mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools +%endif + +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{prelink_conf_dir} +install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh +install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf + +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 + +# Copy the binary libraries we want +for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so +do + install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Install the empty NSS db files +# Legacy db +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb +install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db +install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db +install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db +# Shared db +install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db +install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db +install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt + +# Copy the development libraries we want +for file in libcrmf.a libnssb.a libnssckfw.a +do + install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the binaries we want +for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap +do + install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} +done + +# Copy the binaries we ship as unsupported +for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain +do + install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} +done + +# Copy the include files we want +for file in dist/public/nss/*.h +do + install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy some freebl include files we also want +for file in blapi.h alghmac.h +do + install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the static freebl library +for file in libfreebl.a +do +install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the template files we want +for file in dist/private/nss/templates.c dist/private/nss/nssck.api +do + install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +done + +# Copy the package configuration files +install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc +install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config +install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc +install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config +install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc +install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config +# Copy the pkcs #11 configuration script +install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh +# install a symbolic link to it, without the ".sh" suffix, +# that matches the man page documentation +ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit + +# Copy the man pages for scripts +for f in nss-config setup-nsssysinit; do + install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 +done +# Copy the man pages for the nss tools +for f in certutil cmsutil crlutil derdump modutil nss-policy-check pk12util signtool signver ssltap vfychain vfyserv; do + install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 +done +%if %{defined rhel} +install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1 +%else +install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1 +%endif + +# Copy the man pages for the configuration files +for f in pkcs11.txt; do + install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 +done +# Copy the man pages for the nss databases +for f in cert8.db cert9.db key3.db key4.db secmod.db; do + install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 +done + +# Copy the crypto-policies configuration file +install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d + +%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3 +# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet +# from previous versions of nss.spec +/usr/bin/setup-nsssysinit.sh on + +%post +update-crypto-policies --no-reload + +%postun +update-crypto-policies --no-reload + + +%files +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libnss3.so +%{_libdir}/libssl3.so +%{_libdir}/libsmime3.so +%dir %{_sysconfdir}/pki/nssdb +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config +%doc %{_mandir}/man5/cert8.db.5* +%doc %{_mandir}/man5/key3.db.5* +%doc %{_mandir}/man5/secmod.db.5* +%doc %{_mandir}/man5/cert9.db.5* +%doc %{_mandir}/man5/key4.db.5* +%doc %{_mandir}/man5/pkcs11.txt.5* + +%files sysinit +%{_libdir}/libnsssysinit.so +%{_bindir}/setup-nsssysinit.sh +# symbolic link to setup-nsssysinit.sh +%{_bindir}/setup-nsssysinit +%doc %{_mandir}/man1/setup-nsssysinit.1* + +%files tools +%{_bindir}/certutil +%{_bindir}/cmsutil +%{_bindir}/crlutil +%{_bindir}/modutil +%{_bindir}/nss-policy-check +%{_bindir}/pk12util +%{_bindir}/signver +%{_bindir}/ssltap +%{unsupported_tools_directory}/atob +%{unsupported_tools_directory}/btoa +%{unsupported_tools_directory}/derdump +%{unsupported_tools_directory}/listsuites +%{unsupported_tools_directory}/ocspclnt +%{unsupported_tools_directory}/pp +%{unsupported_tools_directory}/selfserv +%{unsupported_tools_directory}/signtool +%{unsupported_tools_directory}/strsclnt +%{unsupported_tools_directory}/symkeyutil +%{unsupported_tools_directory}/tstclnt +%{unsupported_tools_directory}/vfyserv +%{unsupported_tools_directory}/vfychain +# instead of %%{_mandir}/man*/* let's list them explicitly +# supported tools +%doc %{_mandir}/man1/certutil.1* +%doc %{_mandir}/man1/cmsutil.1* +%doc %{_mandir}/man1/crlutil.1* +%doc %{_mandir}/man1/modutil.1* +%doc %{_mandir}/man1/nss-policy-check.1* +%doc %{_mandir}/man1/pk12util.1* +%doc %{_mandir}/man1/signver.1* +# unsupported tools +%doc %{_mandir}/man1/derdump.1* +%doc %{_mandir}/man1/signtool.1* +%if %{defined rhel} +%doc %{_mandir}/man1/pp.1* +%else +%dir %{_datadir}/doc/nss-tools +%doc %{_datadir}/doc/nss-tools/pp.1 +%endif +%doc %{_mandir}/man1/ssltap.1* +%doc %{_mandir}/man1/vfychain.1* +%doc %{_mandir}/man1/vfyserv.1* + +%files devel +%{_libdir}/libcrmf.a +%{_libdir}/pkgconfig/nss.pc +%{_bindir}/nss-config +%doc %{_mandir}/man1/nss-config.1* + +%dir %{_includedir}/nss3 +%{_includedir}/nss3/cert.h +%{_includedir}/nss3/certdb.h +%{_includedir}/nss3/certt.h +%{_includedir}/nss3/cmmf.h +%{_includedir}/nss3/cmmft.h +%{_includedir}/nss3/cms.h +%{_includedir}/nss3/cmsreclist.h +%{_includedir}/nss3/cmst.h +%{_includedir}/nss3/crmf.h +%{_includedir}/nss3/crmft.h +%{_includedir}/nss3/cryptohi.h +%{_includedir}/nss3/cryptoht.h +%{_includedir}/nss3/sechash.h +%{_includedir}/nss3/jar-ds.h +%{_includedir}/nss3/jar.h +%{_includedir}/nss3/jarfile.h +%{_includedir}/nss3/key.h +%{_includedir}/nss3/keyhi.h +%{_includedir}/nss3/keyt.h +%{_includedir}/nss3/keythi.h +%{_includedir}/nss3/nss.h +%{_includedir}/nss3/nssckbi.h +%{_includedir}/nss3/ocsp.h +%{_includedir}/nss3/ocspt.h +%{_includedir}/nss3/p12.h +%{_includedir}/nss3/p12plcy.h +%{_includedir}/nss3/p12t.h +%{_includedir}/nss3/pk11func.h +%{_includedir}/nss3/pk11pqg.h +%{_includedir}/nss3/pk11priv.h +%{_includedir}/nss3/pk11pub.h +%{_includedir}/nss3/pk11sdr.h +%{_includedir}/nss3/pkcs12.h +%{_includedir}/nss3/pkcs12t.h +%{_includedir}/nss3/pkcs7t.h +%{_includedir}/nss3/preenc.h +%{_includedir}/nss3/secmime.h +%{_includedir}/nss3/secmod.h +%{_includedir}/nss3/secmodt.h +%{_includedir}/nss3/secpkcs5.h +%{_includedir}/nss3/secpkcs7.h +%{_includedir}/nss3/smime.h +%{_includedir}/nss3/ssl.h +%{_includedir}/nss3/sslerr.h +%{_includedir}/nss3/sslexp.h +%{_includedir}/nss3/sslproto.h +%{_includedir}/nss3/sslt.h + +%files pkcs11-devel +%{_includedir}/nss3/nssbase.h +%{_includedir}/nss3/nssbaset.h +%{_includedir}/nss3/nssckepv.h +%{_includedir}/nss3/nssckft.h +%{_includedir}/nss3/nssckfw.h +%{_includedir}/nss3/nssckfwc.h +%{_includedir}/nss3/nssckfwt.h +%{_includedir}/nss3/nssckg.h +%{_includedir}/nss3/nssckmdt.h +%{_includedir}/nss3/nssckt.h +%{_includedir}/nss3/templates/nssck.api +%{_libdir}/libnssb.a +%{_libdir}/libnssckfw.a + +%files util +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libnssutil3.so + +%files util-devel +# package configuration files +%{_libdir}/pkgconfig/nss-util.pc +%{_bindir}/nss-util-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# these are marked as public export in nss/lib/util/manifest.mk +%{_includedir}/nss3/base64.h +%{_includedir}/nss3/ciferfam.h +%{_includedir}/nss3/eccutil.h +%{_includedir}/nss3/hasht.h +%{_includedir}/nss3/nssb64.h +%{_includedir}/nss3/nssb64t.h +%{_includedir}/nss3/nsslocks.h +%{_includedir}/nss3/nssilock.h +%{_includedir}/nss3/nssilckt.h +%{_includedir}/nss3/nssrwlk.h +%{_includedir}/nss3/nssrwlkt.h +%{_includedir}/nss3/nssutil.h +%{_includedir}/nss3/pkcs1sig.h +%{_includedir}/nss3/pkcs11.h +%{_includedir}/nss3/pkcs11f.h +%{_includedir}/nss3/pkcs11n.h +%{_includedir}/nss3/pkcs11p.h +%{_includedir}/nss3/pkcs11t.h +%{_includedir}/nss3/pkcs11u.h +%{_includedir}/nss3/pkcs11uri.h +%{_includedir}/nss3/portreg.h +%{_includedir}/nss3/secasn1.h +%{_includedir}/nss3/secasn1t.h +%{_includedir}/nss3/seccomon.h +%{_includedir}/nss3/secder.h +%{_includedir}/nss3/secdert.h +%{_includedir}/nss3/secdig.h +%{_includedir}/nss3/secdigt.h +%{_includedir}/nss3/secerr.h +%{_includedir}/nss3/secitem.h +%{_includedir}/nss3/secoid.h +%{_includedir}/nss3/secoidt.h +%{_includedir}/nss3/secport.h +%{_includedir}/nss3/utilmodt.h +%{_includedir}/nss3/utilpars.h +%{_includedir}/nss3/utilparst.h +%{_includedir}/nss3/utilrename.h +%{_includedir}/nss3/templates/templates.c + +%files softokn +%{_libdir}/libnssdbm3.so +%{_libdir}/libnssdbm3.chk +%{_libdir}/libsoftokn3.so +%{_libdir}/libsoftokn3.chk +# shared with nss-tools +%dir %{_libdir}/nss +%dir %{saved_files_dir} +%dir %{unsupported_tools_directory} +%{unsupported_tools_directory}/bltest +%{unsupported_tools_directory}/ecperf +%{unsupported_tools_directory}/fbectest +%{unsupported_tools_directory}/fipstest +%{unsupported_tools_directory}/shlibsign + +%files softokn-freebl +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libfreebl3.so +%{_libdir}/libfreebl3.chk +%{_libdir}/libfreeblpriv3.so +%{_libdir}/libfreeblpriv3.chk +#shared +%dir %{prelink_conf_dir} +%{prelink_conf_dir}/nss-softokn-prelink.conf +%dir %{dracut_modules_dir} +%{dracut_modules_dir}/module-setup.sh +%{dracut_conf_dir}/50-nss-softokn.conf + +%files softokn-freebl-devel +%{_libdir}/libfreebl.a +%{_includedir}/nss3/blapi.h +%{_includedir}/nss3/blapit.h +%{_includedir}/nss3/alghmac.h +%{_includedir}/nss3/lowkeyi.h +%{_includedir}/nss3/lowkeyti.h + +%files softokn-devel +%{_libdir}/pkgconfig/nss-softokn.pc +%{_bindir}/nss-softokn-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# +# The following headers are those exported public in +# nss/lib/freebl/manifest.mn and +# nss/lib/softoken/manifest.mn +# +# The following list is short because many headers, such as +# the pkcs #11 ones, have been provided by nss-util-devel +# which installed them before us. +# +%{_includedir}/nss3/ecl-exp.h +%{_includedir}/nss3/nsslowhash.h +%{_includedir}/nss3/shsign.h + + +%changelog +* Mon Dec 17 2018 Daiki Ueno - 3.41.0-5 +- Update manual pages to reflect recent changes in commands + +* Fri Dec 14 2018 Bob Relyea - 3.41.0-4 +- Make sure corresponding public keys are created when importing private keys. + +* Thu Dec 13 2018 Daiki Ueno - 3.41.0-3 +- Fix the last change +- Add --no-reload option to update-crypto-policies to avoid + unnecessary restart of daemons + +* Thu Dec 13 2018 Daiki Ueno - 3.41.0-2 +- Restore LDFLAGS injection when linking DSO + +* Mon Dec 10 2018 Daiki Ueno - 3.41.0-1 +- Update to NSS 3.41 +- Consolidate nss-util, nss-softokn, and nss into a single source package + +* Fri Dec 7 2018 Daiki Ueno - 3.39.0-1.5 +- Fix the last commit + +* Tue Dec 4 2018 Bob Relyea - 3.39.0-1.4 +- Support for IKE/IPsec typical PKIX usage so libreswan can use nss + without rejecting certs based on EKU + +* Thu Nov 29 2018 Daiki Ueno - 3.39.0-1.3 +- Backport upstream fixes for rhbz#1649026, rhbz#1608895, rhbz#1644854 +- Document PKCS #11 URI +- Add warning when adding module with modutil while p11-kit is enabled + +* Tue Nov 13 2018 Daiki Ueno - 3.39.0-1.2 +- Update nss-dsa.patch to not advertise DSA signature algorithm +- Update PayPal test certs for testing + +* Thu Oct 18 2018 Daiki Ueno - 3.39.0-1.1 +- Backport "DSA" keyword in crypto-policies + +* Tue Sep 25 2018 Daiki Ueno - 3.39.0-1.0 +- Update to NSS 3.39 + +* Fri Sep 14 2018 Daiki Ueno - 3.38.0-1.2 +- Fix LDFLAGS injection when linking DSO + +* Tue Jul 24 2018 Daiki Ueno - 3.38.0-1.1 +- Install crypto-policies configuration file for + https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules +- Port enable-fips-when-system-is-in-fips-mode.patch from RHEL-7 +- Use %%ldconfig_scriptlets +- Remove needless use of %defattr, by Jason Tibbitts + +* Wed Jul 18 2018 Daiki Ueno - 3.38.0-1.0 +- Update to NSS 3.38 + +* Tue Jul 17 2018 Kai Engert - 3.36.1-1.2 +- Backport upstream addition of nss-policy-check utility, rhbz#1428746, + includes required fixes for mozbz#1296263 and mozbz#1474875 + +* Fri May 25 2018 Daiki Ueno - 3.36.1-1.1 +- Switch the default DB type to SQL +- Enable SSLKEYLOGFILE + +* Wed Apr 11 2018 Daiki Ueno - 3.36.1-1.0 +- Update to NSS 3.36.1 +- Remove nss-3.14.0.0-disble-ocsp-test.patch +- Fix partial injection of LDFLAGS +- Remove NSS_NO_PKCS11_BYPASS, which is no-op in upstream + +* Fri Mar 9 2018 Daiki Ueno - 3.36.0-1.0 +- Update to NSS 3.36.0 +- Add gcc-c++ to BuildRequires (C++ is needed for gtests) +- Make test failure detection robuster + +* Thu Feb 08 2018 Fedora Release Engineering - 3.35.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Jan 29 2018 Kai Engert - 3.35.0-4 +- Fix a compiler error with gcc 8, mozbz#1434070 +- Set NSS_FORCE_FIPS=1 at %%build time, and remove from %%check. + +* Mon Jan 29 2018 Kai Engert - 3.35.0-3 +- Stop pulling in nss-pem automatically, packages that need it should + depend on it, rhbz#1539401 + +* Tue Jan 23 2018 Daiki Ueno - 3.35.0-2 +- Update to NSS 3.35.0 + +* Tue Nov 14 2017 Daiki Ueno - 3.34.0-2 +- Update to NSS 3.34.0 + +* Fri Nov 10 2017 Daiki Ueno - 3.33.0-6 +- Make sure 32bit nss-pem always be installed with 32bit nss in + multlib environment, patch by Kamil Dudka + +* Wed Nov 8 2017 Kai Engert - 3.33.0-5 +- Fix test script + +* Tue Nov 7 2017 Kai Engert - 3.33.0-4 +- Update tests to be compatible with default NSS DB changed to sql + (the default was changed in the nss-util package). + +* Tue Oct 24 2017 Kai Engert - 3.33.0-3 +- rhbz#1505487, backport upstream fixes required for rhbz#1496560 + +* Tue Oct 3 2017 Daiki Ueno - 3.33.0-2 +- Update to NSS 3.33.0 + +* Fri Sep 15 2017 Daiki Ueno - 3.32.1-2 +- Update to NSS 3.32.1 + +* Wed Sep 6 2017 Daiki Ueno - 3.32.0-4 +- Update iquote.patch to really prefer in-tree headers over system headers + +* Wed Aug 23 2017 Kai Engert - 3.32.0-3 +- NSS libnssckbi.so has already been obsoleted by p11-kit-trust, rhbz#1484449 + +* Mon Aug 7 2017 Daiki Ueno - 3.32.0-2 +- Update to NSS 3.32.0 + +* Thu Aug 03 2017 Fedora Release Engineering - 3.31.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 3.31.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Tue Jul 18 2017 Daiki Ueno - 3.31.0-4 +- Backport mozbz#1381784 to avoid deadlock in dnf + +* Thu Jul 13 2017 Daiki Ueno - 3.31.0-3 +- Move signtool to %%_libdir/nss/unsupported-tools, for: + https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation + +* Wed Jun 21 2017 Daiki Ueno - 3.31.0-2 +- Rebase to NSS 3.31.0 + +* Fri Jun 2 2017 Daiki Ueno - 3.30.2-3 +- Enable gtests + +* Mon Apr 24 2017 Daiki Ueno - 3.30.2-2 +- Rebase to NSS 3.30.2 +- Enable TLS 1.3 + +* Thu Mar 30 2017 Kai Engert - 3.30.0-3 +- Backport upstream mozbz#1328318 to support crypto policy FUTURE. + +* Tue Mar 21 2017 Daiki Ueno - 3.30.0-2 +- Rebase to NSS 3.30.0 +- Remove upstreamed patches + +* Thu Mar 02 2017 Kai Engert - 3.29.1-3 +- Backport mozbz#1334976 and mozbz#1336487. + +* Fri Feb 17 2017 Daiki Ueno - 3.29.1-2 +- Rebase to NSS 3.29.1 + +* Thu Feb 9 2017 Daiki Ueno - 3.29.0-3 +- Disable TLS 1.3, following the upstream change + +* Wed Feb 8 2017 Daiki Ueno - 3.29.0-2 +- Rebase to NSS 3.29.0 +- Suppress -Werror=int-in-bool-context warnings with GCC7 + +* Mon Jan 23 2017 Daiki Ueno - 3.28.1-6 +- Work around pkgconfig -> pkgconf transition issue (releng#6597) + +* Fri Jan 20 2017 Daiki Ueno - 3.28.1-5 +- Disable TLS 1.3 +- Add "Conflicts" with packages using older Mozilla codebase, which is + not compatible with NSS 3.28.1 +- Remove NSS_ECC_MORE_THAN_SUITE_B setting, as it was removed in upstream + +* Tue Jan 17 2017 Daiki Ueno - 3.28.1-4 +- Add "Conflicts" with older firefox packages which don't have support + for smaller curves added in NSS 3.28.1 + +* Fri Jan 13 2017 Daiki Ueno - 3.28.1-3 +- Fix incorrect version specification in %%nss_{util,softokn}_version, + pointed by Elio Maldonado + +* Fri Jan 6 2017 Daiki Ueno - 3.28.1-2 +- Rebase to NSS 3.28.1 +- Remove upstreamed patch for disabling RSA-PSS +- Re-enable TLS 1.3 + +* Wed Nov 30 2016 Daiki Ueno - 3.27.2-2 +- Rebase to NSS 3.27.2 + +* Tue Nov 15 2016 Daiki Ueno - 3.27.0-5 +- Revert the previous fix for RSA-PSS and use the upstream fix instead + +* Wed Nov 02 2016 Kai Engert - 3.27.0-4 +- Disable the use of RSA-PSS with SSL/TLS. #1383809 + +* Sun Oct 2 2016 Daiki Ueno - 3.27.0-3 +- Disable TLS 1.3 for now, to avoid reported regression with TLS to + version intolerant servers + +* Thu Sep 29 2016 Daiki Ueno - 3.27.0-2 +- Rebase to NSS 3.27.0 +- Remove upstreamed ectest patch + +* Mon Aug 8 2016 Daiki Ueno - 3.26.0-2 +- Rebase to NSS 3.26.0 +- Update check policy file patch to better match what was upstreamed +- Remove conditionally ignore system policy patch as it has been upstreamed +- Skip ectest as well as ecperf, which are built as part of nss-softokn +- Fix rpmlint error regarding %%define usage + +* Thu Jul 14 2016 Elio Maldonado - 3.25.0-6 +- Incorporate some changes requested in upstream review and commited upstream (#1157720) + +* Fri Jul 01 2016 Elio Maldonado - 3.25.0-5 +- Add support for conditionally ignoring the system policy (#1157720) +- Remove unneeded test scripts patches in order to run more tests +- Remove unneeded test data modifications from the spec file + +* Tue Jun 28 2016 Elio Maldonado - 3.25.0-4 +- Remove obsolete patch and spurious lines from the spec file (#1347336) + +* Sun Jun 26 2016 Elio Maldonado - 3.25.0-3 +- Cleanup spec file and patches and add references to bugs filed upstream + +* Fri Jun 24 2016 Elio Maldonado - 3.25.0-2 +- Rebase to nss 3.25 + +* Thu Jun 16 2016 Kamil Dudka - 3.24.0-3 +- decouple nss-pem from the nss package (#1347336) + +* Fri Jun 03 2016 Elio Maldonado - 3.24.0-2.3 +- Apply the patch that was last introduced +- Renumber and reorder some of the patches +- Resolves: Bug 1342158 + +* Thu Jun 02 2016 Elio Maldonado - 3.24.0-2.2 +- Allow application requests to disable SSL v2 to succeed +- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails + +* Sun May 29 2016 Elio Maldonado - 3.24.0-2.1 +- Rebase to NSS 3.24.0 +- Restore setting the policy file location +- Make ssl tests scripts aware of policy +- Ajust tests data expected result for policy + +* Tue May 24 2016 Elio Maldonado - 3.24.0-2.0 +- Bootstrap build to rebase to NSS 3.24.0 +- Temporarily not setting the policy file location + +* Thu May 12 2016 Elio Maldonado - 3.23.0-9 +- Change POLICY_FILE to "nss.config" + +* Fri Apr 22 2016 Elio Maldonado - 3.23.0-8 +- Change POLICY_FILE to "nss.cfg" + +* Wed Apr 20 2016 Elio Maldonado - 3.23.0-7 +- Change the POLICY_PATH to "/etc/crypto-policies/back-ends" +- Regenerate the check policy patch with hg to provide more context + +* Thu Apr 14 2016 Elio Maldonado - 3.23.0-6 +- Fix typo in the last %%changelog entry + +* Thu Mar 24 2016 Elio Maldonado - 3.23.0-5 +- Load policy file if /etc/pki/nssdb/policy.cfg exists +- Resolves: Bug 1157720 - NSS should enforce the system-wide crypto policy + +* Tue Mar 08 2016 Elio Maldonado - 3.23.0-4 +- Remove unused patch rendered obsolete by pem update + +* Tue Mar 08 2016 Elio Maldonado - 3.23.0-3 +- Update pem sources to latest from nss-pem upstream +- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key + +* Sat Mar 05 2016 Elio Maldonado - 3.23.0-2 +- Rebase to NSS 3.23 + +* Sat Feb 27 2016 Elio Maldonado - 3.22.2-2 +- Rebase to NSS 3.22.2 + +* Tue Feb 23 2016 Elio Maldonado - 3.22.1-3 +- Fix ssl2/exp test disabling to run all the required tests + +* Sun Feb 21 2016 Elio Maldonado - 3.22.1-1 +- Rebase to NSS 3.22.1 + +* Mon Feb 08 2016 Elio Maldonado - 3.22.0-3 +- Update .gitignore as part of updating to nss 3.22 + +* Mon Feb 08 2016 Elio Maldonado - 3.22.0-2 +- Update to NSS 3.22 + +* Thu Feb 04 2016 Fedora Release Engineering - 3.21.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jan 15 2016 Elio Maldonado - 3.21.0-6 +- Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite +- Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built +- Use %%define when specifying the nss_tests to run + +* Wed Dec 30 2015 Michal Toman - 3.21.0-5 +- Add 64-bit MIPS to multilib arches + +* Fri Nov 20 2015 Elio Maldonado - 3.21.0-4 +- Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0 +- Resolves: Bug 1284095 - all https fails with sec_error_no_token + +* Sun Nov 15 2015 Elio Maldonado - 3.21.0-3 +- Add references to bugs filed upstream + +* Fri Nov 13 2015 Elio Maldonado Batiz - 3.21.1-2 +- Update to NSS 3.21 +- Package listsuites as part of the unsupported tools set +- Resolves: Bug 1279912 - nss-3.21 is available +- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit +- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set + +* Fri Oct 30 2015 Elio Maldonado - 3.20.1-2 +- Update to NSS 3.20.1 + +* Wed Sep 30 2015 Elio Maldonado - 3.20.0-6 +- Enable ECC cipher-suites by default [hrbz#1185708] +- Split the enabling patch in two for easier maintenance +- Remove unused patches rendered obsolete by prior rebase + +* Wed Sep 16 2015 Elio Maldonado - 3.20.0-5 +- Enable ECC cipher-suites by default [hrbz#1185708] +- Implement corrections requested in code review + +* Tue Sep 15 2015 Elio Maldonado - 3.20.0-4 +- Enable ECC cipher-suites by default [hrbz#1185708] + +* Mon Sep 14 2015 Elio Maldonado - 3.20.0-3 +- Fix patches that disable ssl2 and export cipher suites support +- Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers +- Fix syntax errors in patch to skip ssl2 and export cipher suite tests +- Turn ssl2 off by default in the tstclnt tool +- Disable ssl stress tests containing TLS RC4 128 with MD5 + +* Thu Aug 20 2015 Elio Maldonado - 3.20.0-2 +- Update to NSS 3.20 + +* Sat Aug 08 2015 Elio Maldonado - 3.19.3-2 +- Update to NSS 3.19.3 + +* Fri Jun 26 2015 Elio Maldonado - 3.19.2-3 +- Create on the fly versions of sslcov.txt and sslstress.txt that disable tests for SSL2 and EXPORT ciphers + +* Wed Jun 17 2015 Kai Engert - 3.19.2-2 +- Update to NSS 3.19.2 + +* Thu May 28 2015 Kai Engert - 3.19.1-2 +- Update to NSS 3.19.1 + +* Tue May 19 2015 Kai Engert - 3.19.0-2 +- Update to NSS 3.19 + +* Fri May 15 2015 Kai Engert - 3.18.0-2 +- Replace expired test certificates, upstream bug 1151037 + +* Thu Mar 19 2015 Elio Maldonado - 3.18.0-1 +- Update to nss-3.18.0 +- Resolves: Bug 1203689 - nss-3.18 is available + +* Tue Mar 03 2015 Elio Maldonado - 3.17.4-5 +- Disable export suites and SSL2 support at build time +- Fix syntax errors in various shell scripts +- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites + +* Sat Feb 21 2015 Till Maas - 3.17.4-4 +- Rebuilt for Fedora 23 Change + https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code + +* Tue Feb 10 2015 Elio Maldonado - 3.17.4-3 +- Commented out the export NSS_NO_SSL2=1 line to not disable ssl2 +- Backing out from disabling ssl2 until the patches are fixed + +* Mon Feb 09 2015 Elio Maldonado - 3.17.4-2 +- Disable SSL2 support at build time +- Fix syntax errors in various shell scripts +- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites + +* Wed Jan 28 2015 Elio Maldonado - 3.17.4-1 +- Update to nss-3.17.4 + +* Sat Jan 24 2015 Ville Skyttä - 3.17.3-4 +- Own the %%{_datadir}/doc/nss-tools dir + +* Tue Dec 16 2014 Elio Maldonado - 3.17.3-3 +- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer +- Install pp man page in %%{_datadir}/doc/nss-tools/pp.1 +- Use %%{_mandir} instead of /usr/share/man as more generic + +* Mon Dec 15 2014 Elio Maldonado - 3.17.3-2 +- Install pp man page in alternative location +- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer + +* Fri Dec 05 2014 Elio Maldonado - 3.17.3-1 +- Update to nss-3.17.3 +- Resolves: Bug 1171012 - nss-3.17.3 is available + +* Thu Oct 16 2014 Elio Maldonado - 3.17.2-2 +- Resolves: Bug 994599 - Enable TLS 1.2 by default + +* Sun Oct 12 2014 Elio Maldonado - 3.17.2-1 +- Update to nss-3.17.2 + +* Wed Sep 24 2014 Kai Engert - 3.17.1-1 +- Update to nss-3.17.1 +- Add a mechanism to skip test suite execution during development work + +* Thu Aug 21 2014 Kevin Fenzi - 3.17.0-2 +- Rebuild for rpm bug 1131960 + +* Tue Aug 19 2014 Elio Maldonado - 3.17.0-1 +- Update to nss-3.17.0 + +* Sun Aug 17 2014 Fedora Release Engineering - 3.16.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 30 2014 Elio Maldonado - 3.16.2-3 +- Replace expired PayPal test cert with current one to prevent build failure + +* Fri Jul 18 2014 Tom Callaway - 3.16.2-2 +- fix license handling + +* Sun Jun 29 2014 Elio Maldonado - 3.16.2-1 +- Update to nss-3.16.2 + +* Sun Jun 15 2014 Elio Maldonado - 3.16.1-4 +- Remove unwanted source directories at end of %%prep so it truly does it +- Skip the cipher suite already run as part of the nss-softokn build + +* Sat Jun 07 2014 Fedora Release Engineering - 3.16.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Mon May 12 2014 Jaromir Capik - 3.16.1-2 +- Replacing ppc64 and ppc64le with the power64 macro +- Related: Bug 1052545 - Trivial change for ppc64le in nss spec + +* Tue May 06 2014 Elio Maldonado - 3.16.1-1 +- Update to nss-3.16.1 +- Update the iquote patch on account of the rebase +- Improve error detection in the %%section +- Resolves: Bug 1094702 - nss-3.16.1 is available + +* Tue Mar 18 2014 Elio Maldonado - 3.16.0-1 +- Update to nss-3.16.0 +- Cleanup the copying of the tools man pages +- Update the iquote.patch on account of the rebase + +* Tue Mar 04 2014 Elio Maldonado - 3.15.5-2 +- Restore requiring nss_softokn_version >= 3.15.5 + +* Wed Feb 19 2014 Elio Maldonado - 3.15.5-1 +- Update to nss-3.15.5 +- Temporarily requiring only nss_softokn_version >= 3.15.4 +- Fix location of sharedb files and their manpages +- Move cert9.db, key4.db, and pkcs11.txt to the main package +- Move nss-sysinit manpages tar archives to the main package +- Resolves: Bug 1066877 - nss-3.15.5 is available +- Resolves: Bug 1067091 - Move sharedb files to the %%files section + +* Thu Feb 06 2014 Elio Maldonado - 3.15.4-5 +- Revert previous change that moved some sysinit manpages +- Restore nss-sysinit manpages tar archives to %%files sysinit +- Removing spurious wildcard entry was the only change needed + +* Mon Jan 27 2014 Elio Maldonado - 3.15.4-4 +- Add explanatory comments for iquote.patch as was done on f20 + +* Sat Jan 25 2014 Elio Maldonado - 3.15.4-3 +- Update pem sources to latest from nss-pem upstream +- Pick up pem fixes verified on RHEL and applied upstream +- Fix a problem where same files in two rpms created rpm conflict +- Move some nss-sysinit manpages tar archives to the %%files the +- All man pages are listed by name so there shouldn't be wildcard inclusion +- Add support for ppc64le, Resolves: Bug 1052545 + +* Mon Jan 20 2014 Peter Robinson 3.15.4-2 +- ARM tests pass so remove ARM conditional + +* Tue Jan 07 2014 Elio Maldonado - 3.15.4-1 +- Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM) +- Resolves: Bug 1049229 - nss-3.15.4 is available +- Update pem sources to latest from the interim upstream for pem +- Remove no longer needed patches +- Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken +- Update iquote.patch on account of upstream changes + +* Wed Dec 11 2013 Elio Maldonado - 3.15.3.1-1 +- Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM) +- Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) +- Resolves: Bug 1040192 - nss-3.15.3.1 is available + +* Tue Dec 03 2013 Elio Maldonado - 3.15.3-2 +- Bump the release tag + +* Sun Nov 24 2013 Elio Maldonado - 3.15.3-1 +- Update to NSS_3_15_3_RTM +- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws +- Fix option descriptions for setup-nsssysinit manpage +- Fix man page of nss-sysinit wrong path and other flaws +- Document email option for certutil manpage +- Remove unused patches + +* Sun Oct 27 2013 Elio Maldonado - 3.15.2-3 +- Revert one change from last commit to preserve full nss pluggable ecc supprt [1019245] + +* Wed Oct 23 2013 Elio Maldonado - 3.15.2-2 +- Use the full sources from upstream +- Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird + +* Thu Sep 26 2013 Elio Maldonado - 3.15.2-1 +- Update to NSS_3_15_2_RTM +- Update iquote.patch on account of modified prototype on cert.h installed by nss-devel + +* Wed Aug 28 2013 Elio Maldonado - 3.15.1-7 +- Update pem sources to pick up a patch applied upstream which a faulty merge had missed +- The pem module should not require unique file basenames + +* Tue Aug 27 2013 Elio Maldonado - 3.15.1-6 +- Update pem sources to the latest from interim upstream + +* Mon Aug 19 2013 Elio Maldonado - 3.15.1-5 +- Resolves: rhbz#996639 - Minor bugs in nss man pages +- Fix some typos and improve description and see also sections + +* Sun Aug 11 2013 Elio Maldonado - 3.15.1-4 +- Cleanup spec file to address most rpmlint errors and warnings +- Using double percent symbols to fix macro-in-comment warnings +- Ignore unversioned-explicit-provides nss-system-init per spec comments +- Ignore invalid-url Source0 as it comes from the git lookaside cache +- Ignore invalid-url Source12 as it comes from the git lookaside cache + +* Thu Jul 25 2013 Elio Maldonado - 3.15.1-3 +- Add man page for pkcs11.txt configuration file and cert and key databases +- Resolves: rhbz#985114 - Provide man pages for the nss configuration files + +* Fri Jul 19 2013 Elio Maldonado - 3.15.1-2 +- Fix errors in the man pages +- Resolves: rhbz#984106 - Add missing option descriptions to man pages for {cert|cms|crl}util +- Resolves: rhbz#982856 - Fix path to script in man page for nss-sysinit + +* Tue Jul 02 2013 Elio Maldonado - 3.15.1-1 +- Update to NSS_3_15_1_RTM +- Enable the iquote.patch to access newly introduced types + +* Wed Jun 19 2013 Elio Maldonado - 3.15-5 +- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts +- Resolves: rhbz#606020 - nss security tools lack man pages + +* Tue Jun 18 2013 emaldona - 3.15-4 +- Build nss without softoken or util sources in the tree +- Resolves: rhbz#689918 + +* Mon Jun 17 2013 emaldona - 3.15-3 +- Update ssl-cbc-random-iv-by-default.patch + +* Sun Jun 16 2013 Elio Maldonado - 3.15-2 +- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config + +* Sat Jun 15 2013 Elio Maldonado - 3.15-1 +- Update to NSS_3_15_RTM + +* Wed Apr 24 2013 Elio Maldonado - 3.15-0.1.beta1.2 +- Fix incorrect path that hid failed test from view +- Add ocsp to the test suites to run but ... +- Temporarily disable the ocsp stapling tests +- Do not treat failed attempts at ssl pkcs11 bypass as fatal errors + +* Thu Apr 04 2013 Elio Maldonado - 3.15-0.1.beta1.1 +- Update to NSS_3_15_BETA1 +- Update spec file, patches, and helper scripts on account of a shallower source tree + +* Sun Mar 24 2013 Kai Engert - 3.14.3-12 +- Update expired test certificates (fixed in upstream bug 852781) + +* Fri Mar 08 2013 Kai Engert - 3.14.3-10 +- Fix incorrect post/postun scripts. Fix broken links in posttrans. + +* Wed Mar 06 2013 Kai Engert - 3.14.3-9 +- Configure libnssckbi.so to use the alternatives system + in order to prepare for a drop in replacement. + +* Fri Feb 15 2013 Elio Maldonado - 3.14.3-1 +- Update to NSS_3_14_3_RTM +- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3 +- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack +- Resolves: rhbz#896651 - PEM module trashes private keys if login fails +- Resolves: rhbz#909775 - specfile support for AArch64 +- Resolves: rhbz#910584 - certutil -a does not produce ASCII output + +* Mon Feb 04 2013 Elio Maldonado - 3.14.2-2 +- Allow building nss against older system sqlite + +* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1 +- Update to NSS_3_14_2_RTM + +* Wed Jan 02 2013 Kai Engert - 3.14.1-3 +- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM + +* Sat Dec 22 2012 Elio Maldonado - 3.14.1-2 +- Require nspr >= 4.9.4 +- Fix changelog invalid dates + +* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1 +- Update to NSS_3_14_1_RTM + +* Wed Dec 12 2012 Elio Maldonado - 3.14-12 +- Bug 879978 - Install the nssck.api header template where mod_revocator can access it +- Install nssck.api in /usr/includes/nss3/templates + +* Tue Nov 27 2012 Elio Maldonado - 3.14-11 +- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it +- Install nssck.api in /usr/includes/nss3 + +* Mon Nov 19 2012 Elio Maldonado - 3.14-10 +- Bug 870864 - Add support in NSS for Secure Boot + +* Sat Nov 10 2012 Elio Maldonado - 3.14-9 +- Disable bypass code at build time and return failure on attempts to enable at runtime +- Bug 806588 - Disable SSL PKCS #11 bypass at build time + +* Sun Nov 04 2012 Elio Maldonado - 3.14-8 +- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs +- Bug 872124 - nss-3.14 breaks fedpkg new-sources +- Fix should be considered preliminary since the patch may change upon upstream approval + +* Thu Nov 01 2012 Elio Maldonado - 3.14-7 +- Add a dummy source file for testing /preventing fedpkg breakage +- Helps test the fedpkg new-sources and upload commands for breakage by nss updates +- Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources + +* Thu Nov 01 2012 Elio Maldonado - 3.14-6 +- Fix a previous unwanted merge from f18 +- Update the SS_SSL_CBC_RANDOM_IV patch to match new sources while +- Keeping the patch disabled while we are still in rawhide and +- State in comment that patch is needed for both stable and beta branches +- Update .gitignore to download only the new sources + +* Wed Oct 31 2012 Elio Maldonado - 3.14-5 +- Fix the spec file so sechash.h gets installed +- Resolves: rhbz#871882 - missing header: sechash.h in nss 3.14 + +* Sat Oct 27 2012 Elio Maldonado - 3.14-4 +- Update the license to MPLv2.0 + +* Wed Oct 24 2012 Elio Maldonado - 3.14-3 +- Use only -f when removing unwanted headers + +* Tue Oct 23 2012 Elio Maldonado - 3.14-2 +- Add secmodt.h to the headers installed by nss-devel +- nss-devel must install secmodt.h which moved from softoken to pk11wrap with nss-3.14 + +* Mon Oct 22 2012 Elio Maldonado - 3.14-1 +- Update to NSS_3_14_RTM + +* Sun Oct 21 2012 Elio Maldonado - 3.14-0.1.rc.1 +- Update to NSS_3_14_RC1 +- update nss-589636.patch to apply to httpdserv +- turn off ocsp tests for now +- remove no longer needed patches +- remove headers shipped by nss-util + +* Fri Oct 05 2012 Kai Engert - 3.13.6-1 +- Update to NSS_3_13_6_RTM + +* Mon Aug 27 2012 Elio Maldonado - 3.13.5-8 +- Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3 +- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load +- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer +- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix + +* Mon Aug 13 2012 Elio Maldonado - 3.13.5-7 +- Fix pluggable ecc support + +* Fri Jul 20 2012 Fedora Release Engineering - 3.13.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun Jul 01 2012 Elio Maldonado - 3.13.5-5 +- Fix checkin comment to prevent unwanted expansions of percents + +* Sun Jul 01 2012 Elio Maldonado - 3.13.5-4 +- Resolves: Bug 830410 - Missing Requires %%{?_isa} +- Use Requires: %%{name}%%{?_isa} = %%{version}-%%{release} on tools +- Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib +- Enable sha224 portion of powerup selftest when running test suites +- Require nspr 4.9.1 + +* Wed Jun 20 2012 Elio Maldonado - 3.13.5-3 +- Resolves: rhbz#833529 - revert unwanted change to nss.pc.in + +* Tue Jun 19 2012 Elio Maldonado - 3.13.5-2 +- Resolves: rhbz#833529 - Remove unwanted space from the Libs: line on nss.pc.in + +* Mon Jun 18 2012 Elio Maldonado - 3.13.5-1 +- Update to NSS_3_13_5_RTM + +* Fri Apr 13 2012 Elio Maldonado - 3.13.4-3 +- Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3 + +* Sun Apr 08 2012 Elio Maldonado - 3.13.4-2 +- Resolves: Bug 805723 - Library needs partial RELRO support added +- Patch coreconf/Linux.mk as done on RHEL 6.2 + +* Fri Apr 06 2012 Elio Maldonado - 3.13.4-1 +- Update to NSS_3_13_4_RTM +- Update the nss-pem source archive to the latest version +- Remove no longer needed patches +- Resolves: Bug 806043 - use pem files interchangeably in a single process +- Resolves: Bug 806051 - PEM various flaws detected by Coverity +- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name + +* Wed Mar 21 2012 Elio Maldonado - 3.13.3-4 +- Resolves: Bug 805723 - Library needs partial RELRO support added + +* Fri Mar 09 2012 Elio Maldonado - 3.13.3-3 +- Cleanup of the spec file +- Add references to the upstream bugs +- Fix typo in Summary for sysinit + +* Thu Mar 08 2012 Elio Maldonado - 3.13.3-2 +- Pick up fixes from RHEL +- Resolves: rhbz#800674 - Unable to contact LDAP Server during winsync +- Resolves: rhbz#800682 - Qpid AMQP daemon fails to load after nss update +- Resolves: rhbz#800676 - NSS workaround for freebl bug that causes openswan to drop connections + +* Thu Mar 01 2012 Elio Maldonado - 3.13.3-1 +- Update to NSS_3_13_3_RTM + +* Mon Jan 30 2012 Tom Callaway - 3.13.1-13 +- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals + +* Thu Jan 26 2012 Elio Maldonado - 3.13.1-12 +- Resolves: Bug 784672 - nss should protect against being called before nss_Init + +* Fri Jan 13 2012 Fedora Release Engineering - 3.13.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Jan 06 2012 Elio Maldonado - 3.13.1-11 +- Deactivate a patch currently meant for stable branches only + +* Fri Jan 06 2012 Elio Maldonado - 3.13.1-10 +- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity +- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request + +* Tue Dec 13 2011 elio maldonado - 3.13.1-9 +- Revert to using current nss_softokn_version +- Patch to deal with lack of sha224 is no longer needed + +* Tue Dec 13 2011 Elio Maldonado - 3.13.1-8 +- Resolves: Bug 754771 - [PEM] an unregistered callback causes a SIGSEGV + +* Mon Dec 12 2011 Elio Maldonado - 3.13.1-7 +- Resolves: Bug 750376 - nss 3.13 breaks sssd TLS +- Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y +- Only patch blapitest for the lack of sha224 on system freebl +- Completed the patch to make pem link against system freebl + +* Mon Dec 05 2011 Elio Maldonado - 3.13.1-6 +- Removed unwanted /usr/include/nss3 in front of the normal cflags include path +- Removed unnecessary patch dealing with CERTDB_TERMINAL_RECORD, it's visible + +* Sun Dec 04 2011 Elio Maldonado - 3.13.1-5 +- Statically link the pem module against system freebl found in buildroot +- Disabling sha224-related powerup selftest until we update softokn +- Disable sha224 and pss tests which nss-softokn 3.12.x doesn't support + +* Fri Dec 02 2011 Elio Maldonado Batiz - 3.13.1-4 +- Rebuild with nss-softokn from 3.12 in the buildroot +- Allows the pem module to statically link against 3.12.x freebl +- Required for using nss-3.13.x with nss-softokn-3.12.y for a merge inrto rhel git repo +- Build will be temprarily placed on buildroot override but not pushed in bodhi + +* Fri Nov 04 2011 Elio Maldonado - 3.13.1-2 +- Fix broken dependencies by updating the nss-util and nss-softokn versions + +* Thu Nov 03 2011 Elio Maldonado - 3.13.1-1 +- Update to NSS_3_13_1_RTM +- Update builtin certs to those from NSSCKBI_1_88_RTM + +* Sat Oct 15 2011 Elio Maldonado - 3.13-1 +- Update to NSS_3_13_RTM + +* Sat Oct 08 2011 Elio Maldonado - 3.13-0.1.rc0.1 +- Update to NSS_3_13_RC0 + +* Wed Sep 14 2011 Elio Maldonado - 3.12.11-3 +- Fix attempt to free initilized pointer (#717338) +- Fix leak on pem_CreateObject when given non-existing file name (#734760) +- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410) + +* Tue Sep 06 2011 Kai Engert - 3.12.11-2 +- Update builtins certs to those from NSSCKBI_1_87_RTM + +* Tue Aug 09 2011 Elio Maldonado - 3.12.11-1 +- Update to NSS_3_12_11_RTM + +* Sat Jul 23 2011 Elio Maldonado - 3.12.10-6 +- Indicate the provenance of stripped source tarball (#688015) + +* Mon Jun 27 2011 Michael Schwendt - 3.12.10-5 +- Provide virtual -static package to meet guidelines (#609612). + +* Fri Jun 10 2011 Elio Maldonado - 3.12.10-4 +- Enable pluggable ecc support (#712556) +- Disable the nssdb write-access-on-read-only-dir tests when user is root (#646045) + +* Fri May 20 2011 Dennis Gilmore - 3.12.10-3 +- make the testsuite non fatal on arm arches + +* Tue May 17 2011 Elio Maldonado - 3.12.10-2 +- Fix crmf hard-coded maximum size for wrapped private keys (#703656) + +* Fri May 06 2011 Elio Maldonado - 3.12.10-1 +- Update to NSS_3_12_10_RTM + +* Wed Apr 27 2011 Elio Maldonado - 3.12.10-0.1.beta1 +- Update to NSS_3_12_10_BETA1 + +* Mon Apr 11 2011 Elio Maldonado - 3.12.9-15 +- Implement PEM logging using NSPR's own (#695011) + +* Wed Mar 23 2011 Elio Maldonado - 3.12.9-14 +- Update to NSS_3.12.9_WITH_CKBI_1_82_RTM + +* Thu Feb 24 2011 Elio Maldonado - 3.12.9-13 +- Short-term fix for ssl test suites hangs on ipv6 type connections (#539183) + +* Fri Feb 18 2011 Elio Maldonado - 3.12.9-12 +- Add a missing requires for pkcs11-devel (#675196) + +* Tue Feb 15 2011 Elio Maldonado - 3.12.9-11 +- Run the test suites in the check section (#677809) + +* Thu Feb 10 2011 Elio Maldonado - 3.12.9-10 +- Fix cms headers to not use c++ reserved words (#676036) +- Reenabling Bug 499444 patches +- Fix to swap internal key slot on fips mode switches + +* Tue Feb 08 2011 Elio Maldonado - 3.12.9-9 +- Revert patches for 499444 until all c++ reserved words are found and extirpated + +* Tue Feb 08 2011 Fedora Release Engineering - 3.12.9-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Feb 08 2011 Elio Maldonado - 3.12.9-7 +- Fix cms header to not use c++ reserved word (#676036) +- Reenable patches for bug 499444 + +* Tue Feb 08 2011 Christopher Aillon - 3.12.9-6 +- Revert patches for 499444 as they use a C++ reserved word and + cause compilation of Firefox to fail + +* Fri Feb 04 2011 Elio Maldonado - 3.12.9-5 +- Fix the earlier infinite recursion patch (#499444) +- Remove a header that now nss-softokn-freebl-devel ships + +* Tue Feb 01 2011 Elio Maldonado - 3.12.9-4 +- Fix infinite recursion when encoding NSS enveloped/digested data (#499444) + +* Mon Jan 31 2011 Elio Maldonado - 3.12.9-3 +- Update the cacert trust patch per upstream review requests (#633043) + +* Wed Jan 19 2011 Elio Maldonado - 3.12.9-2 +- Fix to honor the user's cert trust preferences (#633043) +- Remove obsoleted patch + +* Wed Jan 12 2011 Elio Maldonado - 3.12.9-1 +- Update to 3.12.9 + +* Mon Dec 27 2010 Elio Maldonado - 3.12.9-0.1.beta2 +- Rebuilt according to fedora pre-release package naming guidelines + +* Fri Dec 10 2010 Elio Maldonado - 3.12.8.99.2-1 +- Update to NSS_3_12_9_BETA2 +- Fix libpnsspem crash when cacert dir contains other directories (#642433) + +* Wed Dec 08 2010 Elio Maldonado - 3.12.8.99.1-1 +- Update to NSS_3_12_9_BETA1 + +* Thu Nov 25 2010 Elio Maldonado - 3.12.8-9 +- Update pem source tar with fixes for 614532 and 596674 +- Remove no longer needed patches + +* Fri Nov 05 2010 Elio Maldonado - 3.12.8-8 +- Update PayPalEE.cert test certificate which had expired + +* Sun Oct 31 2010 Elio Maldonado - 3.12.8-7 +- Tell rpm not to verify md5, size, and modtime of configurations file + +* Mon Oct 18 2010 Elio Maldonado - 3.12.8-6 +- Fix certificates trust order (#643134) +- Apply nss-sysinit-userdb-first.patch last + +* Wed Oct 06 2010 Elio Maldonado - 3.12.8-5 +- Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248) + +* Tue Oct 05 2010 Elio Maldonado - 3.12.8-4 +- Fix invalid %%postun scriptlet (#639248) + +* Wed Sep 29 2010 Elio Maldonado - 3.12.8-3 +- Replace posttrans sysinit scriptlet with a triggerpostun one (#636787) +- Fix and cleanup the setup-nsssysinit.sh script (#636792, #636801) + +* Mon Sep 27 2010 Elio Maldonado - 3.12.8-2 +- Add posttrans scriptlet (#636787) + +* Thu Sep 23 2010 Elio Maldonado - 3.12.8-1 +- Update to 3.12.8 +- Prevent disabling of nss-sysinit on package upgrade (#636787) +- Create pkcs11.txt with correct permissions regardless of umask (#636792) +- Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801) +- Added provides pkcs11-devel-static to comply with packaging guidelines (#609612) + +* Sat Sep 18 2010 Elio Maldonado - 3.12.7.99.4-1 +- NSS 3.12.8 RC0 + +* Sun Sep 05 2010 Elio Maldonado - 3.12.7.99.3-2 +- Fix nss-util_version and nss_softokn_version required to be 3.12.7.99.3 + +* Sat Sep 04 2010 Elio Maldonado - 3.12.7.99.3-1 +- NSS 3.12.8 Beta3 +- Fix unclosed comment in renegotiate-transitional.patch + +* Sat Aug 28 2010 Elio Maldonado - 3.12.7-3 +- Change BuildRequries to available version of nss-util-devel + +* Sat Aug 28 2010 Elio Maldonado - 3.12.7-2 +- Define NSS_USE_SYSTEM_SQLITE and remove unneeded patch +- Add comments regarding an unversioned provides which triggers rpmlint warning +- Build requires nss-softokn-devel >= 3.12.7 + +* Mon Aug 16 2010 Elio Maldonado - 3.12.7-1 +- Update to 3.12.7 + +* Sat Aug 14 2010 Elio Maldonado - 3.12.6-12 +- Apply the patches to fix rhbz#614532 + +* Mon Aug 09 2010 Elio Maldonado - 3.12.6-11 +- Removed pem sourecs as they are in the cache + +* Mon Aug 09 2010 Elio Maldonado - 3.12.6-10 +- Add support for PKCS#8 encoded PEM RSA private key files (#614532) + +* Sat Jul 31 2010 Elio Maldonado - 3.12.6-9 +- Fix nsssysinit to return userdb ahead of systemdb (#603313) + +* Tue Jun 08 2010 Dennis Gilmore - 3.12.6-8 +- Require and BuildRequire >= the listed version not = + +* Tue Jun 08 2010 Elio Maldonado - 3.12.6-7 +- Require nss-softoken 3.12.6 + +* Sun Jun 06 2010 Elio Maldonado - 3.12.6-6 +- Fix SIGSEGV within CreateObject (#596674) + +* Mon Apr 12 2010 Elio Maldonado - 3.12.6-5 +- Update pem source tar to pick up the following bug fixes: +- PEM - Allow collect objects to search through all objects +- PEM - Make CopyObject return a new shallow copy +- PEM - Fix memory leak in pem_mdCryptoOperationRSAPriv + +* Wed Apr 07 2010 Elio Maldonado - 3.12.6-4 +- Update the test cert in the setup phase + +* Wed Apr 07 2010 Elio Maldonado - 3.12.6-3 +- Add sed to sysinit requires as setup-nsssysinit.sh requires it (#576071) +- Update PayPalEE test cert with unexpired one (#580207) + +* Thu Mar 18 2010 Elio Maldonado - 3.12.6-2 +- Fix ns.spec to not require nss-softokn (#575001) + +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1.2 +- rebuilt with all tests enabled + +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1.1 +- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period +- Disabling ssl tests suites until bug 539183 is resolved + +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1 +- Update to 3.12.6 +- Reactivate all tests +- Patch tools to validate command line options arguments + +* Mon Jan 25 2010 Elio Maldonado - 3.12.5-8 +- Fix curl related regression and general patch code clean up + +* Wed Jan 13 2010 Elio Maldonado - 3.12.5-5 +- retagging + +* Tue Jan 12 2010 Elio Maldonado - 3.12.5-1.1 +- Fix SIGSEGV on call of NSS_Initialize (#553638) + +* Wed Jan 06 2010 Elio Maldonado - 3.12.5-1.13.2 +- New version of patch to allow root to modify ystem database (#547860) + +* Thu Dec 31 2009 Elio Maldonado - 3.12.5-1.13.1 +- Temporarily disabling the ssl tests + +* Sat Dec 26 2009 Elio Maldonado - 3.12.5-1.13 +- Fix nsssysinit to allow root to modify the nss system database (#547860) + +* Fri Dec 25 2009 Elio Maldonado - 3.12.5-1.11 +- Fix an error introduced when adapting the patch for rhbz #546211 + +* Sat Dec 19 2009 Elio maldonado - 3.12.5-1.9 +- Remove left over trace statements from nsssysinit patching + +* Fri Dec 18 2009 Elio Maldonado - 3.12.5-2.7 +- Fix a misconstructed patch + +* Thu Dec 17 2009 Elio Maldonado - 3.12.5-1.6 +- Fix nsssysinit to enable apps to use system cert store, patch contributed by David Woodhouse (#546221) +- Fix spec so sysinit requires coreutils for post install scriplet (#547067) +- Fix segmentation fault when listing keys or certs in the database, patch contributed by Kamil Dudka (#540387) + +* Thu Dec 10 2009 Elio Maldonado - 3.12.5-1.5 +- Fix nsssysinit to set the default flags on the crypto module (#545779) +- Remove redundant header from the pem module + +* Wed Dec 09 2009 Elio Maldonado - 3.12.5-1.1 +- Remove unneeded patch + +* Thu Dec 03 2009 Elio Maldonado - 3.12.5-1.1 +- Retagging to include missing patch + +* Thu Dec 03 2009 Elio Maldonado - 3.12.5-1 +- Update to 3.12.5 +- Patch to allow ssl/tls clients to interoperate with servers that require renogiation + +* Fri Nov 20 2009 Elio Maldonado - 3.12.4-14.1 +- Retagging + +* Tue Oct 20 2009 Elio Maldonado - 3.12.4-13.1 +- Require nss-softoken of same architecture as nss (#527867) +- Merge setup-nsssysinit.sh improvements from F-12 (#527051) + +* Sat Oct 03 2009 Elio Maldonado - 3.12.4-13 +- User no longer prompted for a password when listing keys an empty system db (#527048) +- Fix setup-nsssysinit to handle more general formats (#527051) + +* Sun Sep 27 2009 Elio Maldonado - 3.12.4-12 +- Fix syntax error in setup-nsssysinit.sh + +* Sun Sep 27 2009 Elio Maldonado - 3.12.4-11 +- Fix sysinit to be under mozilla/security/nss/lib + +* Sat Sep 26 2009 Elio Maldonado - 3.12.4-10 +- Add nss-sysinit activation/deactivation script + +* Fri Sep 18 2009 Elio Maldonado - 3.12.4-8 +- Restoring nssutil and -rpath-link to nss-config for now - 522477 + +* Tue Sep 08 2009 Elio Maldonado - 3.12.4-6 +- Installing shared libraries to %%{_libdir} + +* Mon Sep 07 2009 Elio Maldonado - 3.12.4-5 +- Retagging to pick up new sources + +* Mon Sep 07 2009 Elio Maldonado - 3.12.4-4 +- Update pem enabling source tar with latest fixes (509705, 51209) + +* Sun Sep 06 2009 Elio Maldonado - 3.12.4-3 +- PEM module implements memory management for internal objects - 509705 +- PEM module doesn't crash when processing malformed key files - 512019 + +* Sat Sep 05 2009 Elio Maldonado - 3.12.4-2 +- Remove symbolic links to shared libraries from devel - 521155 +- No rpath-link in nss-softokn-config + +* Tue Sep 01 2009 Elio Maldonado - 3.12.4-1 +- Update to 3.12.4 + +* Mon Aug 31 2009 Elio Maldonado - 3.12.3.99.3-30 +- Fix FORTIFY_SOURCE buffer overflows in test suite on ppc and ppc64 - bug 519766 +- Fixed requires and buildrequires as per recommendations in spec file review + +* Sun Aug 30 2009 Elio Maldonado - 3.12.3.99.3-29 +- Restoring patches 2 and 7 as we still compile all sources +- Applying the nss-nolocalsql.patch solves nss-tools sqlite dependency problems + +* Sun Aug 30 2009 Elio Maldonado - 3.12.3.99.3-28 +- restore require sqlite + +* Sat Aug 29 2009 Elio Maldonado - 3.12.3.99.3-27 +- Don't require sqlite for nss + +* Sat Aug 29 2009 Elio Maldonado - 3.12.3.99.3-26 +- Ensure versions in the requires match those used when creating nss.pc + +* Fri Aug 28 2009 Elio Maldonado - 3.12.3.99.3-25 +- Remove nss-prelink.conf as signed all shared libraries moved to nss-softokn +- Add a temprary hack to nss.pc.in to unblock builds + +* Fri Aug 28 2009 Warren Togami - 3.12.3.99.3-24 +- caolan's nss.pc patch + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-23 +- Bump the release number for a chained build of nss-util, nss-softokn and nss + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-22 +- Fix nss-config not to include nssutil +- Add BuildRequires on nss-softokn and nss-util since build also runs the test suite + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-21 +- disabling all tests while we investigate a buffer overflow bug + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-20 +- disabling some tests while we investigate a buffer overflow bug - 519766 + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-19 +- remove patches that are now in nss-softokn and +- remove spurious exec-permissions for nss.pc per rpmlint +- single requires line in nss.pc.in + +* Wed Aug 26 2009 Elio Maldonado - 3.12.3.99.3-18 +- Fix BuildRequires: nss-softokn-devel release number + +* Wed Aug 26 2009 Elio Maldonado - 3.12.3.99.3-16 +- cleanups for softokn + +* Tue Aug 25 2009 Dennis Gilmore - 3.12.3.99.3-15 +- remove the softokn subpackages + +* Mon Aug 24 2009 Dennis Gilmore - 3.12.3.99.3-14 +- don install the nss-util pkgconfig bits + +* Mon Aug 24 2009 Dennis Gilmore - 3.12.3.99.3-13 +- remove from -devel the 3 headers that ship in nss-util-devel + +* Mon Aug 24 2009 Dennis Gilmore - 3.12.3.99.3-12 +- kill off the nss-util nss-util-devel subpackages + +* Sun Aug 23 2009 Elio Maldonado+emaldona@redhat.com - 3.12.3.99.3-11 +- split off nss-softokn and nss-util as subpackages with their own rpms +- first phase of splitting nss-softokn and nss-util as their own packages + +* Thu Aug 20 2009 Elio Maldonado - 3.12.3.99.3-10 +- must install libnssutil3.since nss-util is untagged at the moment +- preserve time stamps when installing various files + +* Thu Aug 20 2009 Dennis Gilmore - 3.12.3.99.3-9 +- dont install libnssutil3.so since its now in nss-util + +* Thu Aug 06 2009 Elio Maldonado - 3.12.3.99.3-7.1 +- Fix spec file problems uncovered by Fedora_12_Mass_Rebuild + +* Sat Jul 25 2009 Fedora Release Engineering - 3.12.3.99.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jun 22 2009 Elio Maldonado - 3.12.3.99.3-6 +- removed two patch files which are no longer needed and fixed previous change log number +* Mon Jun 22 2009 Elio Maldonado - 3.12.3.99.3-5 +- updated pem module incorporates various patches +- fix off-by-one error when computing size to reduce memory leak. (483855) +- fix data type to work on x86_64 systems. (429175) +- fix various memory leaks and free internal objects on module unload. (501080) +- fix to not clone internal objects in collect_objects(). (501118) +- fix to not bypass initialization if module arguments are omitted. (501058) +- fix numerous gcc warnings. (500815) +- fix to support arbitrarily long password while loading a private key. (500180) +- fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191) +* Mon Jun 08 2009 Elio Maldonado - 3.12.3.99.3-4 +- add patch for bug 502133 upstream bug 496997 +* Fri Jun 05 2009 Kai Engert - 3.12.3.99.3-3 +- rebuild with higher release number for upgrade sanity +* Fri Jun 05 2009 Kai Engert - 3.12.3.99.3-2 +- updated to NSS_3_12_4_FIPS1_WITH_CKBI_1_75 +* Thu May 07 2009 Kai Engert - 3.12.3-7 +- re-enable test suite +- add patch for upstream bug 488646 and add newer paypal + certs in order to make the test suite pass +* Wed May 06 2009 Kai Engert - 3.12.3-4 +- add conflicts info in order to fix bug 499436 +* Tue Apr 14 2009 Kai Engert - 3.12.3-3 +- ship .chk files instead of running shlibsign at install time +- include .chk file in softokn-freebl subpackage +- add patch for upstream nss bug 488350 +* Tue Apr 14 2009 Kai Engert - 3.12.3-2 +- Update to NSS 3.12.3 +* Mon Apr 06 2009 Kai Engert - 3.12.2.99.3-7 +- temporarily disable the test suite because of bug 494266 +* Mon Apr 06 2009 Kai Engert - 3.12.2.99.3-6 +- fix softokn-freebl dependency for multilib (bug 494122) +* Thu Apr 02 2009 Kai Engert - 3.12.2.99.3-5 +- introduce separate nss-softokn-freebl package +* Thu Apr 02 2009 Kai Engert - 3.12.2.99.3-4 +- disable execstack when building freebl +* Tue Mar 31 2009 Kai Engert - 3.12.2.99.3-3 +- add upstream patch to fix bug 483855 +* Tue Mar 31 2009 Kai Engert - 3.12.2.99.3-2 +- build nspr-less freebl library +* Tue Mar 31 2009 Kai Engert - 3.12.2.99.3-1 +- Update to NSS_3_12_3_BETA4 + +* Wed Feb 25 2009 Fedora Release Engineering - 3.12.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Oct 22 2008 Kai Engert - 3.12.2.0-3 +- update to NSS_3_12_2_RC1 +- use system zlib +* Tue Sep 30 2008 Dennis Gilmore - 3.12.1.1-4 +- add sparc64 to the list of 64 bit arches + +* Wed Sep 24 2008 Kai Engert - 3.12.1.1-3 +- bug 456847, move pkgconfig requirement to devel package +* Fri Sep 05 2008 Kai Engert - 3.12.1.1-2 +- Update to NSS_3_12_1_RC2 +* Fri Aug 22 2008 Kai Engert - 3.12.1.0-2 +- NSS 3.12.1 RC1 +* Fri Aug 15 2008 Kai Engert - 3.12.0.3-7 +- fix bug bug 429175 in libpem module +* Tue Aug 05 2008 Kai Engert - 3.12.0.3-6 +- bug 456847, add Requires: pkgconfig +* Tue Jun 24 2008 Kai Engert - 3.12.0.3-3 +- nss package should own /etc/prelink.conf.d folder, rhbz#452062 +- use upstream patch to fix test suite abort +* Mon Jun 02 2008 Kai Engert - 3.12.0.3-2 +- Update to NSS_3_12_RC4 +* Mon Apr 14 2008 Kai Engert - 3.12.0.1-1 +- Update to NSS_3_12_RC2 +* Thu Mar 20 2008 Jesse Keating - 3.11.99.5-2 +- Zapping old Obsoletes/Provides. No longer needed, causes multilib headache. +* Mon Mar 17 2008 Kai Engert - 3.11.99.5-1 +- Update to NSS_3_12_BETA3 +* Fri Feb 22 2008 Kai Engert - 3.11.99.4-1 +- NSS 3.12 Beta 2 +- Use /usr/lib{64} as devel libdir, create symbolic links. +* Sat Feb 16 2008 Kai Engert - 3.11.99.3-6 +- Apply upstream patch for bug 417664, enable test suite on pcc. +* Fri Feb 15 2008 Kai Engert - 3.11.99.3-5 +- Support concurrent runs of the test suite on a single build host. +* Thu Feb 14 2008 Kai Engert - 3.11.99.3-4 +- disable test suite on ppc +* Thu Feb 14 2008 Kai Engert - 3.11.99.3-3 +- disable test suite on ppc64 + +* Thu Feb 14 2008 Kai Engert - 3.11.99.3-2 +- Build against gcc 4.3.0, use workaround for bug 432146 +- Run the test suite after the build and abort on failures. + +* Thu Jan 24 2008 Kai Engert - 3.11.99.3-1 +* NSS 3.12 Beta 1 + +* Mon Jan 07 2008 Kai Engert - 3.11.99.2b-3 +- move .so files to /lib + +* Wed Dec 12 2007 Kai Engert - 3.11.99.2b-2 +- NSS 3.12 alpha 2b + +* Mon Dec 03 2007 Kai Engert - 3.11.99.2-2 +- upstream patches to avoid calling netstat for random data + +* Wed Nov 07 2007 Kai Engert - 3.11.99.2-1 +- NSS 3.12 alpha 2 + +* Wed Oct 10 2007 Kai Engert - 3.11.7-10 +- Add /etc/prelink.conf.d/nss-prelink.conf in order to blacklist + our signed libraries and protect them from modification. + +* Thu Sep 06 2007 Rob Crittenden - 3.11.7-9 +- Fix off-by-one error in the PEM module + +* Thu Sep 06 2007 Kai Engert - 3.11.7-8 +- fix a C++ mode compilation error + +* Wed Sep 05 2007 Bob Relyea - 3.11.7-7 +- Add 3.12 ckfw and libnsspem + +* Tue Aug 28 2007 Kai Engert - 3.11.7-6 +- Updated license tag + +* Wed Jul 11 2007 Kai Engert - 3.11.7-5 +- Ensure the workaround for mozilla bug 51429 really get's built. + +* Mon Jun 18 2007 Kai Engert - 3.11.7-4 +- Better approach to ship freebl/softokn based on 3.11.5 +- Remove link time dependency on softokn + +* Sun Jun 10 2007 Kai Engert - 3.11.7-3 +- Fix unowned directories, rhbz#233890 + +* Fri Jun 01 2007 Kai Engert - 3.11.7-2 +- Update to 3.11.7, but freebl/softokn remain at 3.11.5. +- Use a workaround to avoid mozilla bug 51429. + +* Fri Mar 02 2007 Kai Engert - 3.11.5-2 +- Fix rhbz#230545, failure to enable FIPS mode +- Fix rhbz#220542, make NSS more tolerant of resets when in the + middle of prompting for a user password. + +* Sat Feb 24 2007 Kai Engert - 3.11.5-1 +- Update to 3.11.5 +- This update fixes two security vulnerabilities with SSL 2 +- Do not use -rpath link option +- Added several unsupported tools to tools package + +* Tue Jan 9 2007 Bob Relyea - 3.11.4-4 +- disable ECC, cleanout dead code + +* Tue Nov 28 2006 Kai Engert - 3.11.4-1 +- Update to 3.11.4 + +* Thu Sep 14 2006 Kai Engert - 3.11.3-2 +- Revert the attempt to require latest NSPR, as it is not yet available + in the build infrastructure. + +* Thu Sep 14 2006 Kai Engert - 3.11.3-1 +- Update to 3.11.3 + +* Thu Aug 03 2006 Kai Engert - 3.11.2-2 +- Add /etc/pki/nssdb + +* Wed Jul 12 2006 Jesse Keating - 3.11.2-1.1 +- rebuild + +* Fri Jun 30 2006 Kai Engert - 3.11.2-1 +- Update to 3.11.2 +- Enable executable bit on shared libs, also fixes debug info. + +* Wed Jun 14 2006 Kai Engert - 3.11.1-2 +- Enable Elliptic Curve Cryptography (ECC) + +* Fri May 26 2006 Kai Engert - 3.11.1-1 +- Update to 3.11.1 +- Include upstream patch to limit curves + +* Wed Feb 15 2006 Kai Engert - 3.11-4 +- add --noexecstack when compiling assembler on x86_64 + +* Fri Feb 10 2006 Jesse Keating - 3.11-3.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 3.11-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Thu Jan 19 2006 Ray Strode 3.11-3 +- rebuild + +* Fri Dec 16 2005 Christopher Aillon 3.11-2 +- Update file list for the devel packages + +* Thu Dec 15 2005 Christopher Aillon 3.11-1 +- Update to 3.11 + +* Thu Dec 15 2005 Christopher Aillon 3.11-0.cvs.2 +- Add patch to allow building on ppc* +- Update the pkgconfig file to Require nspr + +* Thu Dec 15 2005 Christopher Aillon 3.11-0.cvs +- Initial import into Fedora Core, based on a CVS snapshot of + the NSS_3_11_RTM tag +- Fix up the pkcs11-devel subpackage to contain the proper headers +- Build with RPM_OPT_FLAGS +- No need to have rpath of /usr/lib in the pc file + +* Thu Dec 15 2005 Kai Engert +- Adressed review comments by Wan-Teh Chang, Bob Relyea, + Christopher Aillon. + +* Sat Jul 9 2005 Rob Crittenden 3.10-1 +- Initial build